Brazilian construction giant Andrade Gutierrez suffers major data breach


Under 1 million division

Submitted by

Laura Quirin
The Brazilian Report


Brazilian construction giant Andrade Gutierrez suffers major data breach
Andrade Gutierrez, a major Brazilian construction conglomerate operating in 11 countries, suffered a massive security breach that was revealed by The Braziilian Report in March 2023. A group of hackers stole approximately 3 terabytes of emails and company information, including names, email addresses, passports, payment details, tax ID numbers, and health insurance information of over 10,600 current and former employees. The names, titles, dates, and other leaked details were cross-referenced and found to match publicly available information. Hackers obtained blueprints and 3D projections of critical infrastructure projects built by Andrade Gutierrez, including ports and airports, urban mobility and healthcare facilities, as well as work for the 2014 World Cup and 2016 Olympic Games, including the Beira-Rio stadium in Porto Alegre and the Olympic Park in Rio de Janeiro. The Brazilian Report had access to a sample of 15 gigabytes of the 3 terabytes leaked. We decided not to publish any personal or private information following data protection law and due to security concerns. The volume of material we received was very large and difficult to analyze at once. It took weeks to find a solution to allow us to analyze the data leak safely. Andrade Gutierrez refused to cooperate with our reporting and remained opaque, avoiding dealing with the sensitive issue we revealed. This significant breach could lead to fines amounting to millions of reais under Brazil’s General Data Protection Law (LGPD), enacted two years ago. It also exposes the company to unscrupulous competitors who may seek to replicate designs and techniques in other markets. But the biggest risk is to public security. A terrorist group with access to such information would have a significant opportunity to cause harm, as highlighted by a former senior official from France’s foreign intelligence agency cited in the report. After publication, the case was replicated widely, including by Brazil's biggest news website UOL, and the cybersecurity outlet Teiss. The breach, one of the largest in recent memory, underscores that Brazilian companies still rely on inadequate cybersecurity tools. Brazil is one of the G20 countries that is making the slowest and most uneven progress toward creating a good cyber defense environment, according to the MIT Technology Review’s Cyber Defense Index. The breach occurred at approximately the same time last year that Andrade Gutierrez entered an out-of-court bankruptcy protection program after accruing USD 440 million in debt. The name Andrade Gutierrez entered the common Brazilian lexicon in 2015, when company executives were arrested as part of the anti-corruption Operation Car Wash, a massive, years-long anti-corruption task force launched in 2014. The company eventually signed a leniency agreement, promising to return BRL 1.5 billion to the public coffers, in punishment for its corrupt practices in federal public works.
  • Best online-only news website (fewer than 1 million uniques)
  • Best investigative/enterprise feature (fewer than 1 million uniques)
  • Best business reporting (fewer than 1 million uniques)
  • Best podcast (fewer than 1 million uniques)
Inscribe copy
The Brazilian Report