A nonprofit organisation in Brazil that helps young people find internships has suffered a major data breach, with attackers claiming to have accessed roughly 546 gigabytes of private records. The organisation, called Gerar, connects first-time job seekers with companies and educational institutions. The breach was disclosed when a post appeared on a data leak forum showing sample files from young applicants dating back several years.
The exposed material is deeply sensitive. According to researchers who analysed the sample dataset, the leak includes scanned copies of medical checkup reports, identity cards, contracts between Gerar and interns, contracts between schools and training programs, and even scanned documents related to military service for some young applicants.
In the sample file set, the researchers found names, email addresses, phone numbers, dates of birth, taxpayer identification numbers, street addresses, family income data, educational background details, and other personal information. That data alone presents a significant risk for identity theft and fraud.
Because many of those affected are young adults just entering the job market, the long-term risk is particularly high. With so much personal detail exposed, bad actors could open accounts, apply for loans, or impersonate victims for years to come. Researchers warn that when someone’s identity is compromised early in their career, it can have a lasting impact on their credit history and employment opportunities.
Gerar offers training, internships, and matching services for young Brazilians entering the workforce. In doing so, it collects high volumes of personal data from both the applicants and the educational or employer partners. That volume of sensitive data, combined with fewer protections typical of youth-oriented or nonprofit programs, makes such an organisation an attractive target.
By compromising the database of a nonprofit like Gerar, attackers gain access not only to raw personal data but also to contract documents, identity verification materials, and educational credentials. All of this can be used for secondary attacks such as phishing, fake credential creation, or corporate impersonation.
How Nonprofits Can Strengthen Data Protection
The Gerar breach demonstrates that even organizations with good intentions can become points of failure in the larger data protection ecosystem. Every nonprofit that collects personal data must take cybersecurity as seriously as larger private companies do.
This means limiting the amount of data collected, encrypting it in storage, and reviewing who has access to it. Regular software updates, penetration testing, and staff training can also prevent many breaches before they occur. Transparent communication after an incident is equally important. Affected individuals should be informed quickly and given practical advice to protect themselves.