Hybrid Work Contract: Increased Oversight Requires That the Modality Be Provided for in a Contract or Addendum
Previous post
Next post
Julhi Bonespírito Analyzes the Challenges of Judicial Recovery in an Interview with Análise Editorial
Brazilian Data Protection Law (LGPD) |

Data Breach at XP: An Alert on Risks and Response Obligations

The incident reinforces the importance of transparency, information security, and compliance with the Brazilian Data Protection Law (LGPD).

By Natália Ferreira


Legale Overseas, no. 947.

XP Investimentos reported on April 24, 2025, a security incident involving unauthorized access to a database hosted by an external provider, which occurred on March 22. According to the company, partial registration and financial information of investors were accessed, such as name, phone number, email, date of birth, postal code, marital status, position, nationality, XP account number, balance, position, advisor’s name, credit limit, and data about contracted products, such as credit card, insurance, consortium, and pension plans.

In a statement, the brokerage affirmed that no internal systems were compromised and that passwords, electronic signatures, tokens, access credentials, individual taxpayer registry (CPF), and identity documents were not exposed. It also assured that no financial transactions were carried out and that clients’ funds remain secure.

What does the LGPD say?

According to Article 48 of the Brazilian Data Protection Law (LGPD), the data controller must notify the National Data Protection Authority (ANPD) and the data subjects of any security incident that may result in relevant risk or damage. This notification must occur within a reasonable timeframe, according to ANPD Resolution CD/ANPD No. 15/2024, within three business days after identifying the incident, and must contain clear information about the data affected, the risks involved, and the measures taken.

In the case of XP, the communication to clients occurred more than a month after the incident, which contravenes the regulatory deadline and raises questions about compliance with the LGPD and the effectiveness of the response adopted.

Risks and preventive measures

Beyond the risks to data subjects, the incident may have significant consequences for XP itself. Depending on ANPD’s analysis, the company may face administrative sanctions, such as warnings or fines, especially if failures in security measures or timely communication are found. There is also the risk of lawsuits and reputational impacts that may undermine market trust.

Although sensitive data were not involved, exposure of registration and financial data can facilitate fraud, social engineering, and personalized scams. XP advised its clients to disregard suspicious contacts and to avoid taking actions on the app based on external guidance.

How should companies prepare?

This episode reinforces the importance of:

  • Conducting periodic audits of providers that handle personal data;
  • Establishing incident response plans with clear communication flows;
  • Promoting continuous training on information security and the LGPD; and
  • Maintaining transparency with data subjects, even in cases of partial data exposure.

Vaz de Almeida Advogados has extensive experience in data protection and is prepared to guide companies in LGPD compliance and in mitigating legal and reputational risks.

Translation Disclaimer
This document was originally drafted in Portuguese and subsequently translated into English using artificial intelligence (AI).


Follow us on LinkedIn >
People & Community >
Meet Our Leaders >
Awards, Seals, and Recognitions >
News: Quality Content on Our Portal >
   
 

Tax Law >
Corporate Law >
Automotive Sector Relations >
Conflict Prevention and Resolution >
Labor Relations, Global Mobility, and People Management >
 
Intellectual Property >
ESG, Environmental, and Sustainability >
Innovation, Digital Law, and Cybersecurity >
Infrastructure, Real Estate, and Construction Law >
Administrative, Public, and Regulatory Law >
 
   

Our publications aim to communicate the legal perspective on relevant developments and provide context to the most significant legal events that may affect companies and organizations. Specific cases require personalized technical attention to the facts and should seek customized legal advice before taking any legal or paralegal action. If you, your company, or your board of directors need counsel, contact a trusted attorney.
 
«Legale», «Legale Overseas», «Articles», «Especial», «Tax Panel», «Tax Alert», «Projects» e «News & Alerts» are periodic publications intended as a service to the business community. These materials may include links to third-party websites to facilitate access to referenced services and publications. However, we are not responsible for the integrity of third-party links, which may encounter issues such as server failures, network security vulnerabilities, or other accessibility problems.
 
   
 

+55 19 3252-4324
Barão de Itapura, 2323
8th floor, Guanabara
Campinas, SP
Brasil

Share
Vaz de Almeida

VAZ DE ALMEIDA ADVOGADOS is an independent Law Firm, dedicated exclusively to giving Legal Support for foreign companies in Brazil, as well as for Brazilian companies operating in the country and abroad. We specialize in unblocking the barriers that compromise executives' time and energy, so that they can focus on the work that really matters: exceeding their shareholders' expectations.