Procon-SP and Procon Carioca notified Mercado Livre for the leak of data from 300 thousand users of the marketplace. In a note sent to the retailer, the two pro-consumer bodies asked a series of questions to clarify what and what type of information was leaked, as well as what data protection measures were adopted by the company to prevent future incidents.
Mercado Livre confirmed the occurrence of a data leak in a document sent to investors last Monday (7). In the letter, the company claimed that it “enabled security protocols” and is carrying out an “exhaustive analysis”.
Elsewhere in the document, Mercado Livre made it clear that it found no evidence that “passwords, account balances, investments, financial information or credit card numbers” had been leaked.
Procon-SP requires Mercado Livre to inform when it detected the leak, which services were involved in the incident and how many customers were affected. The retailer must also provide information on the number of transactions and operations that have suffered or are still being impacted by the event.
The company must clarify whether its database has been compromised, explaining what specific information was leaked. Procon-SP still requires Mercado Livre to explain what security measures and protocols were used, how many complaints were registered in the company’s channels and how many customers were redirected to service.
In the list of demands from Procon-SP to the Free Market, there is proof of technical and administrative security measures provided for in the LGPD (General Data Protection Law). This includes protecting data against unauthorized access or any form of inappropriate and unlawful treatment, such as destruction, alteration, loss and communication of personal information.
“The company must also clarify whether it has a data manager appointed and whether it has trained its employees on the application of the LGPD**”,** says Procon-SP in a note. Mercado Livre has until tomorrow, Friday (11), to respond to the notification from the São Paulo agency.
Free Market did not provide clarification, says Procon
Procon Carioca notes that Mercado Livre did not provide any information to consumers in general, and that “it also did not release a press release” about the data leak. “Thus, it is not known to what extent consumer data was affected,” the entity claims in a statement. Leonardo Gomes, inspection manager at Procon do Rio, said:
“Considering that the Mercado Livre platform is visited daily by thousands of people and with the aim of investigating a possible violation of consumer rights, Procon Carioca launched a preliminary investigation and requested clarification.”
The questions asked by Procon Carioca to the Free Market are similar to those of Procon-SP. The entity wants to know about the identification of leaked data, the number of consumers affected, and whether the retailer’s staff received training in accordance with the LGPD, among other information. The deadline given to the company for sending responses, however, is longer: until next Monday (14).
Hacker group Lapsus$ claims responsibility for leak
Although the company did not go into details about the data leak, the Lapsus$ group claimed responsibility for the incident. On its Telegram channel, the hacker organization made a poll, and one of the items was a repository of information that supposedly belonged to Mercado Livre.
There is no hard evidence linking Lapsus$ to the leak. However, it would not be the first time that the group has attacked organizations based in Brazil. He is also responsible for taking the website of ConectSUS, of the Ministry of Health, offline.
In addition, Lapsus$ has already made attacks against Nvidia, Samsung and Claro. In all these operations, the hacker group stole data and demanded something in return, as a kind of “ransom”.