Cyber Incident Victim: Americanas

A cyberattack targeting Brazilian e-commerce conglomerate Americanas.com occurred between February 19 and 20, 2022, disrupting its online operations. The incident rendered the company's digital sales platform unavailable for multiple days, halting e-commerce transactions while physical stores and logistics operations remained functional. Americanas reported a direct financial impact of 923 million Brazilian reais ($183 million) in lost sales attributable to the outage. The company mobilized its internal security team alongside external cybersecurity partners and engaged additional global experts specializing in incident response to investigate and resolve the breach. Operations began a gradual restoration process on February 23, 2022, with full resumption achieved by February 24. Americanas confirmed no evidence of data theft, financial fraud, or additional operational damage beyond the temporary suspension of its digital sales channels.

The attack was attributed to the Lapsus$ Group, a threat actor previously responsible for a December 2021 ransomware attack against Brazil’s Ministry of Health that compromised COVID-19 vaccination records. Despite the incident, Americanas reported a 22% year-over-year increase in total sales for the affected period, with digital sales growing 20% in Q1 2022 as operations normalized. The company stated that without the cyberattack, digital sales growth would have reached 30%. The incident occurred amid a broader increase in cyberattacks across Brazil, with IDC forecasting 2022 IT security spending in the country to rise 10% year-over-year to nearly $1 billion, reflecting heightened organizational focus on cybersecurity resilience following pandemic-related digital acceleration.