Cyber Incident Victim: 99
Date:
Jan 2022
Location:
Brazil
Summary
A Brazilian mobility company confirmed a cyberattack compromising approximately 0.006% of its driver partners' accounts, following reports of unauthorized access. Attackers altered victims' registered email addresses and phone numbers, then diverted accumulated earnings from driver profiles to fraudulent accounts. The organization stated it was investigating the incident, collaborating directly with affected individuals to restore account access and provide financial compensation where applicable. The company emphasized its app remained secure for other users during the incident, though it did not disclose the exact number of impacted drivers. Security measures and victim support were prioritized following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The 99 ride-hailing service confirmed a cybersecurity incident affecting its platform in late January 2022, as disclosed by the company’s Director of Security, Tatiana Scatena, during testimony before the São Paulo Municipal Council’s CPI dos Aplicativos on March 8, 2022. The attack targeted driver partner accounts, with unauthorized actors altering registered email addresses and phone numbers to divert accumulated earnings to fraudulent accounts. Initial reports emerged in January when affected drivers publicly described account takeovers on social media platforms, prompting the company to initiate an investigation upon receiving formal notifications. 99 stated that 0.006% of its active driver base experienced compromised accounts, though it declined to specify the absolute number of impacted individuals. The company characterized the incident as limited in scope but acknowledged financial losses suffered by victims through illicit fund transfers executed by attackers following credential compromise.
99 implemented corrective measures including account normalization procedures and financial compensation for verified losses, while maintaining that the application remained secure for unaffected users throughout the incident. The organization engaged directly with compromised drivers to restore access and address fraudulent transactions, emphasizing operational continuity for the majority of its user base during remediation efforts. Internal investigations remained ongoing at the time of Scatena’s March testimony, with no public attribution provided regarding threat actor identity or intrusion methodology. The incident’s primary operational impact centered on account integrity breaches and financial theft targeting driver earnings, without disclosed evidence of passenger data exposure or systemic platform disruption. Company communications confirmed resolution efforts for affected accounts but omitted technical details regarding attack vectors, detection timelines, or preventive controls implemented post-incident.