Exclusive: Major data breach hits Brazilian construction giant
Andrade Gutierrez, a major Brazilian construction conglomerate operating in 11 countries, has suffered a massive security breach.
Members of a hacking group calling itself the “Dark Angels” stole approximately 3 terabytes worth of emails and company information — including names, email addresses, passports, payment information, tax ID numbers, and health insurance details of more than 10,600 current and former employees. The names, titles, dates, and other details contained within the leak match cross-checked public information.
The hackers also obtained blueprints and 3D projections of critical infrastructure projects built by Andrade Gutierrez, including ports and airports, urban mobility and healthcare facilities, as well as work for the 2014 World Cup and 2016 Olympic Games, including the Beira-Rio stadium in Porto Alegre and the Olympic Park in Rio de Janeiro.
Countless emails obtained by the hackers exposed the private data of employees and companies — including logins and passwords to access Andrade Gutierrez’s official profiles on the websites of several municipal and state tax authorities. Possession of these codes would allow access to all sorts of tax returns filed by the company.
A source gave The Brazilian Report access to a 15-gigabyte sample that was made available for download in a Telegram group. According to the hackers, the group tried to inform Andrade Gutierrez of the vulnerability in its servers before making part of the data available.
The breach occurred between September and October, around the same time Andrade Gutierrez entered an out-of-court bankruptcy protection program after accumulating USD 440 million in debt.
The name Andrade Gutierrez made its way into the common Brazilian lexicon in 2015, when the company’s executives were arrested as part of the anti-corruption Operation Car Wash, a massive, years-long anti-corruption task force launched in 2014. The company eventually signed a leniency agreement, promising to return BRL 1.5 billion to the public coffers, in punishment for its corrupt practices in federal public works.
The hackers did not provide specific details about when or how they breached the construction firm’s servers, to avoid being identified. They say Andrade Gutierrez ignored their correspondence, and the system vulnerability they exploited remains open.
“Their IT team was apparently so negligent about their work that it is unlikely they will close their vulnerabilities in the near future,” a member of the Dark Angels told The Brazilian Report through a message exchange on Telegram. The person added that the company tried to delete the compromised files after being notified of the breach — but the hackers had already copied them.
The data leak has many implications. For one, it is a major breach that could result in millions of reais in fines under Brazil’s General Data Protection Law (LGPD) enacted two years ago.
Alain Juillet, a former top official with France’s foreign intelligence agency, cites other risks. “From a business perspective, it exposes the company to ill-intended competitors who may want to copy designs and techniques in other markets, such as Africa or Asia,” Mr. Juillet said.
“But the biggest risk is to public security. A terrorist group with access to such information would have tremendous opportunities to do harm,” he adds.
The Brazilian Report has decided not to publish documents that could create security risks or expose private data.
According to the General Data Protection Law, in force since September 2020, companies that suffer data breaches must notify the National Data Protection Agency (ANPD) and all the people and companies whose data has been compromised.
“This notification must be made within a reasonable period of time, according to the law,” said Lucas Silva, associate director of compliance, forensics, and intelligence at consultancy firm Control Risks. “Seventy-two hours would be standard practice, as the company needs to investigate and take immediate action to prevent further damage related to the breach,” Mr. Silva adds.
“The market takes these situations seriously because they expose a company’s weaknesses in internal controls. It could disrupt future negotiations and contracts,” says Mr. Silva. “Companies that suffer from leaks have to be very careful about how they respond. They don’t want to create panic among investors, but they must also notify the authorities.”
If a company fails to comply with the notification requirements, it can be fined up to 2 percent of its revenue, capped at BRL 50 million (USD 9.6 million). Andrade Gutierrez’s estimated revenue for 2022 was BRL 3.3 billion, according to an earnings report last May.
The Brazilian Report contacted Andrade Gutierrez on February 16 and March 1, but the company said it would not provide comment for this article. Since the breach occurred, Andrade Gutierrez has not acknowledged it publicly.
There is reason to believe the company has taken no action to remedy the crisis. We also contacted CCR, an administrator of infrastructure assets in which Andrade Gutierrez held equity until recently. Despite a wealth of CCR data being compromised by the leak, CCR told The Brazilian Report it was “unaware of the issue.”
As a publicly traded company, CCR would have to have informed investors of the breach if it had any knowledge of it.
The National Data Protection Agency (ANPD) said “there is no public information” on the case, adding that any investigation into non-compliance procedures would be kept confidential anyway.
The breach, one of the largest in recent memory, underscores that Brazilian companies still rely on inadequate cybersecurity tools. Brazil is one of the G20 countries that is making the slowest and most uneven progress toward creating a good cyber defense environment. That’s according to the MIT Technology Review’s Cyber Defense Index. The country ranks 18th overall, behind emerging economies such as Mexico and India.
Latin America’s largest economy was among the five worst performers in the survey’s four pillars: ranking 16th in cybersecurity resources, 17th in critical infrastructure, 18th in organizational capacity, and 19th in policy commitment.
According to Fortinet, the country recorded 31.5 million attempted cyberattacks on businesses in the first half of last year alone.
Another study, by Checkpoint Software, shows that this growth continued in Q3, when cyberattacks in the country increased by nearly 40 percent. Brazil is also (by far) the leader in Latin America in the number of phishing and ransomware-type attacks.
In recent years, major companies such as retailer Americanas, delivery giant iFood, car-rental behemoth Localiza, and meat-packing leader JBS, as well as several government agencies (such as the Health Ministry), have fallen victim to hacks.
Earlier this week, the National Data Protection Authority published its framework for penalties to be imposed on companies and government agencies that fail to protect the data they handle.
According to Guilherme Guimarães, chief counsel at consultancy firm Datalege, the move “gives the regulatory agency muscle” and lays the groundwork for companies to be punished. The Andrade Gutierrez case may give it a chance to flex those muscles.