Large LATAM data breaches

Three separate leaks hit Latin America in the same week: one tied to a Brazilian education platform, one to a Mexican mobile operator, and one involving alleged access to Colombia’s Empresa de Telecomunicaciones de Bogotá, the Bogotá telecom company. The pattern is simple: attackers are not just stealing files, they are packaging logins and customer records into products they can sell. (x.com, x.com, x.com) In Brazil, the reported Daxus leak was described as more than 27 million credentials. A credential dump is the digital version of a ring of copied office keys, because one exposed username and password can unlock other systems if people reused the same login elsewhere. (x.com) In Mexico, the reported Flashmobile MX exposure was about 500,000 user records. A mobile virtual network operator is a phone company that sells service without owning the whole network, which means customer data can sit across billing, support, identity, and carrier-linked systems at the same time. (x.com) In Colombia, the ETB case was not framed as a giant public dump but as access being offered for sale. That usually means a buyer is being promised a live foothold inside a company, which is often more dangerous than a spreadsheet leak because it can be used for fraud, surveillance, or follow-on ransomware. (x.com, etb.com) The sectors here are not random. Education platforms hold identity data for students, parents, and staff, while telecom companies hold phone numbers, billing details, service histories, and account-recovery channels that criminals can use to impersonate customers. (x.com, marketscreener.com) That is why telecom data is so easy to monetize. A record with a name, phone number, email, and account context can be turned into phishing texts, password-reset attempts, port-out fraud, or social-engineering calls that sound real because the caller already knows the victim’s provider and plan. (bakermckenzie.com, messagecentral.com) Brazil’s legal risk starts immediately because the General Data Protection Law, Brazil’s national privacy law, requires security measures and gives the National Data Protection Authority a formal incident-reporting channel for controllers. Brazil’s law also allows administrative sanctions that can reach 50 million Brazilian reais per violation. (gov.br, gov.br, planalto.gov.br) Mexico’s pressure is different because its private-sector data law was replaced on March 21, 2025, after publication in the Official Gazette on March 20, 2025. That means any company handling Mexican customer data is now dealing with a newer compliance framework while also navigating a regulator transition after the dissolution of the National Institute of Transparency, Access to Information, and Protection of Personal Data. (hoganlovells.com, gtlaw.com) Colombia has its own clock running. Under Colombia’s data protection regime, controllers and processors must notify the Superintendence of Industry and Commerce within 15 business days after detecting a security breach or security risk, and the rule does not set a minimum threshold before notification is required. (dlapiperdataprotection.com, cms.law) For the companies involved, the first job is not public relations. It is figuring out whether the exposed material was old or current, whether passwords were hashed or plain text, whether session tokens or administrator accounts were included, and whether the same access is still open right now. (gov.br, dlapiperdataprotection.com) For users, the practical risk is immediate even before every fact is confirmed. Anyone who had an account with these services should change reused passwords, turn on multi-factor authentication where available, and treat texts, calls, and emails that mention their provider, school, invoice, or account problem as suspicious by default. (x.com, x.com, x.com)