Serasa Experian, Brazil's largest consumer credit bureau, became the focal point of what is documented as the largest data breach in Brazilian history when cybersecurity firm PSafe discovered more than 220 million personal records being traded on a dark-web forum in January 2021. The dataset, comprising roughly 1 terabyte of compressed files, was advertised for US $40,000 in Bitcoin and included a searchable web panel. The record count exceeded Brazil's living population because it included deceased individuals. No organisation has been proven liable. Serasa Experian stated that a forensic review found no evidence of unauthorized access to its core systems, though it acknowledged some data may have originated from its marketing systems. The exposed records included CPF numbers (Brazil's national tax identification equivalent to a Social Security Number), full names, dates of birth, addresses, phone numbers, email addresses, salary ranges, credit scores, and facial images. A separate tranche exposed data on 40 million Brazilian companies. Because credit bureau data is comprehensive, persistent, and widely reused across financial systems, the practical harm to affected individuals is severe. The combination of identity, financial, and biometric data in a single dataset creates conditions for identity theft, loan fraud, and synthetic identity schemes that can persist for years. Brazil's national data protection authority, the ANPD, launched a formal inquiry following the discovery. The Federal Police opened Operation Deepwater, a broader investigation that led to arrests in 2024. The Ministry of Justice opened an administrative case under Brazil's data protection law, the LGPD, which could result in substantial fines. A civil legal action was filed in the English High Court in January 2026. Affected individuals face long-term risk of financial fraud and identity exploitation, and should monitor their CPF records and credit activity closely.

Credit reporting and analytics firms aggregate highly sensitive identity, financial, contact, and scoring-related data across large populations for risk assessment, lending, and consumer reporting.

Serasa Experian has faced sustained regulatory pressure in Brazil over its data commercialization practices separate from the 2021 incident. Brazilian courts have at various points ordered the company to restrict data sales, and its practices have been the subject of ongoing scrutiny under the LGPD. In January 2026 London law firm Mishcon de Reya filed a group action in the English High Court against the Serasa Experian group on behalf of affected Brazilians, with registration still open as of early 2026.