Serasa Experian 2021 Data Breach

Serasa Experian Brazilian Credit Bureau Breach (2021): 220 Million SSN & Name Records Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Social EngineeringFinancialFull NameSocial Security Number
Low SeverityWebsite / service breach

Serasa Experian Brazilian Credit Bureau Breach (2021): 220 Million SSN & Name Records Exposed

Brazilian credit bureau and analytics company.

Verified by ObscureIQ Intelligence
0/100Breach Risk Index
30Data Value

Breach Intelligence Summary

Entity: Serasa Experian · Actor: Unknown · Sources: 2 references
Attack: Social Engineering
Profile: Company · Credit reporting and financial data analytics · Data aggregation and scoring services · Brazil
Timeline: Breach (2021-01-20) · Year (2021)
Exposure: 223.7M records · 2 fields: Full Name, Social Security Number
Status: Reported

Executive Summary

Serasa Experian, Brazil's largest consumer credit bureau, became the focal point of what is documented as the largest data breach in Brazilian history when cybersecurity firm PSafe discovered more than 220 million personal records being traded on a dark-web forum in January 2021. The dataset, comprising roughly 1 terabyte of compressed files, was advertised for US $40,000 in Bitcoin and included a searchable web panel. The record count exceeded Brazil's living population because it included deceased individuals. No organisation has been proven liable. Serasa Experian stated that a forensic review found no evidence of unauthorized access to its core systems, though it acknowledged some data may have originated from its marketing systems. The exposed records included CPF numbers (Brazil's national tax identification equivalent to a Social Security Number), full names, dates of birth, addresses, phone numbers, email addresses, salary ranges, credit scores, and facial images. A separate tranche exposed data on 40 million Brazilian companies. Because credit bureau data is comprehensive, persistent, and widely reused across financial systems, the practical harm to affected individuals is severe. The combination of identity, financial, and biometric data in a single dataset creates conditions for identity theft, loan fraud, and synthetic identity schemes that can persist for years. Brazil's national data protection authority, the ANPD, launched a formal inquiry following the discovery. The Federal Police opened Operation Deepwater, a broader investigation that led to arrests in 2024. The Ministry of Justice opened an administrative case under Brazil's data protection law, the LGPD, which could result in substantial fines. A civil legal action was filed in the English High Court in January 2026. Affected individuals face long-term risk of financial fraud and identity exploitation, and should monitor their CPF records and credit activity closely.

ObscureIQ assessment: Severe risk. This data can support identity theft, fraud, synthetic identity creation, financial manipulation, and long-term exploitation. Credit bureau exposures are especially harmful because the data is persistent and widely reused.

Breach Impact

In January 2021 Brazilian cybersecurity firm PSafe uncovered a dataset of more than 220 million personal records being traded on dark web forums — immediately documented as the largest data breach in Brazilian history. The dataset included CPF numbers, full names, dates of birth, addresses, phone numbers, credit scores, income data, and vehicle records. The record count exceeded Brazil's living population because the dataset also encompassed deceased individuals. Serasa Experian denied its systems had been directly compromised, stating its forensic investigation found no evidence of unauthorized access and that some of the data may have originated from its non-sensitive marketing systems. Brazil's ANPD launched a formal inquiry. The Federal Police opened Operation Deepwater, which evolved into a broader investigation resulting in arrests in 2024. The Ministry of Justice opened an administrative case under the LGPD that could trigger significant fines. The Mishcon de Reya English High Court action, filed in January 2026, represents the most recent formal legal consequence of the incident.

About Serasa Experian

Serasa Experian is Brazil's largest consumer credit bureau and data analytics company, a subsidiary of the global Experian group. The company provides credit scoring, identity verification, fraud prevention, and marketing data services to Brazilian financial institutions, businesses, and government entities. It holds comprehensive financial and identity records on virtually the entire Brazilian adult population, sourced through mandatory credit reporting obligations and commercial data partnerships.

Why They Hold Your Data

Credit reporting and analytics firms aggregate highly sensitive identity, financial, contact, and scoring-related data across large populations for risk assessment, lending, and consumer reporting.

Recent Developments

Serasa Experian has faced sustained regulatory pressure in Brazil over its data commercialization practices separate from the 2021 incident. Brazilian courts have at various points ordered the company to restrict data sales, and its practices have been the subject of ongoing scrutiny under the LGPD. In January 2026 London law firm Mishcon de Reya filed a group action in the English High Court against the Serasa Experian group on behalf of affected Brazilians, with registration still open as of early 2026.

Data Points Exposed

2 verified field types
Full Name High
Social Security Number Critical

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Identity theft and synthetic identity construction using government-issued IDs
Threat vectors:
  • Name-based social engineering
  • Full identity theft & synthetic identity fraud

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Serasa Experian breach?

Serasa Experian, Brazil's largest consumer credit bureau, became the focal point of what is documented as the largest data breach in Brazilian history when cybersecurity firm PSafe discovered more than 220 million personal records being traded on a dark-web forum in January 2021. The dataset,…

What data was exposed?

Verified fields include Full Name, Social Security Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation