Cyber Incident Victim: C&A

On or around August 23, 2018, the Brazilian division of international fashion retailer C&A experienced a cyberattack targeting its online gift card platform. The company detected unauthorized activity in its gift card and exchange systems on August 23, triggering immediate implementation of contingency plans and legal proceedings. A hacker using the alias @joshua, affiliated with the group Fatal Error Crew, subsequently published stolen customer data on Pastebin, a platform frequently used for sharing compromised information. The leaked records included personally identifiable information such as customer ID numbers and email addresses, along with transactional details including gift card monetary values, order numbers, and purchase dates. While C&A did not publicly confirm the number of affected individuals, Brazilian technology news outlet Tecmundo reported approximately 36,000 customers had their data exposed through this breach.

The attacker claimed the intrusion was retaliatory, alleging C&A had improperly used jobseeker data to artificially meet gift card creation quotas. C&A's official statement denied any unauthorized use of personal data while emphasizing their commitment to legal compliance and customer experience protection. The company's response focused on containment through existing contingency measures rather than technical specifics about the attack vector or system vulnerabilities. No information was disclosed regarding potential financial losses, operational disruptions, or customer compensation efforts. The breach exclusively impacted Brazilian customers who had purchased digital gift cards, with no indication of wider international system compromise based on available reports. C&A maintained its public stance regarding ethical data handling practices despite the confirmed exposure of sensitive customer information through the criminal leak.