Regulatory gaps and corporate espionage threaten sensitive information.
As new players enter Brazil’s food delivery market, the industry is facing a wave of accusations involving unfair competition, corporate espionage, and attempted data theft. While legislation provides some guidelines and companies have their own security policies, experts told Valor that regulatory and operational gaps still leave sensitive information at risk.
In October, after reports filed by iFood, São Paulo’s Civil Police executed two search and seizure warrants—one in the capital and another in the interior of the state—to investigate two former employees of the platform. In the first case, the individual allegedly downloaded 4,900 sensitive files and shared them with a relative. In a police statement, the person said they intended to start a consulting firm.
In the second investigation, another former employee admitted in a messaging group that he had been paid more than R$5,000 for a one-hour conversation with a so-called consulting firm seeking internal information about iFood. He claimed he did not believe the information shared was sensitive.
Both individuals were reportedly working at 99Food, which resumed operations in Brazil in August, and were subject to non-compete clauses in their contracts. These clauses prevent former employees from using strategic knowledge to work for competitors within a certain period and typically include penalties for violations.
Valor found that after these incidents, iFood implemented new internal controls to prevent data leaks, including download validation mechanisms. The cases are still in the forensic phase, with no expected conclusion date, and other incidents are under monitoring.
In a statement, iFood said it was its internal monitoring systems that identified the employees’ behavior and that it has since strengthened its data-sharing rules, protections for external interfaces, and document classification criteria.
Shortly afterward, 99Food announced an internal investigation into repeated attempts to gain unauthorized access to strategic information, including stolen laptops and approaches by alleged consultants targeting employees.
The company said hundreds of staff had received offers ranging from $200 to $1,000 for conversations framed as market research. It also reported thefts and robberies of laptops belonging to key personnel. The investigation is ongoing with no deadline for conclusion.
99Food said it “does not tolerate or endorse any form of misconduct involving illegally obtained external data” and that its operations follow “strict policies” and “accountability mechanisms.”
More recently, the 3rd Police Precinct in Santos launched an inquiry into an alleged corporate espionage attack against Keeta, an international delivery brand owned by China’s Meituan. The complaint claims that at least eight restaurants in Santos were approached by individuals posing as platform employees to collect strategic data.
Keeta began a pilot operation in the Baixada Santista region in late October and expanded into Greater São Paulo in December. Valor learned that investigations are still underway.
Keeta said it has “robust, clear, and transparent” internal policies regarding data security and that it complies with all local laws and requirements to ensure those principles are upheld in Brazil.
For Elizabeth Kasznar, a senior partner at Kasznar Leonardos and expert in intellectual property and trade secrets, the disputes in the delivery sector highlight the lack of clarity regarding what constitutes sensitive operational data. “Client and supplier lists, expansion plans, these may seem harmless, but they’re not,” she said.
Business secrets
Brazil’s 1996 Industrial Property Law (LPI) protects business secrets by treating certain acts as crimes of unfair competition. For information to qualify, it must not be publicly available, must have economic value, and must be safeguarded by reasonable measures such as confidentiality agreements and access controls.
Article 39 of the TRIPS Agreement, which Brazil has ratified, also provides protection against the misuse of confidential information.
Kasznar said the legal framework is strong but outdated.
“With digitalization, it’s become much easier to access and share information. We need clearer definitions of what’s considered strategic,”
she said, adding that although this is a long-standing debate, it has advanced slowly in Brazil.
João Victor Chencci, CEO and partner at AGR Tech, a retail technology consultancy, said that in a competitive, high-investment, fast-moving market, nearly all information becomes sensitive.
“In this industry, the edge is in the details, any leak can compromise competitive advantage,”
he said.
As technology barriers shrink, even seemingly insignificant data can trigger rapid retaliation.
“That makes it even harder for people to distinguish what is or isn’t strategic,”
he said.
In his view, beyond robust technology, which already exists in the sector, a strong culture of data protection is essential.
That includes training on security tools and protocols, as well as alerts and penalties for noncompliance.
“Bad actors will always find ways, but many leaks happen unintentionally due to lack of guidance,”
he said.
Source: Valor International
