The Protection and Consumer Defence Foundation of the State of São Paulo ('PROCON-SP') notified, on 20 August 2021, the Renner Stores SA requesting explanations about the cyber attack/ ransomware suffered by the company on 19 August 2021. In particular, Procon-SP required Renner to inform among numerous topics, those listed below:

• which databases were affected by the attack;
• what was the level of the data exposure;
• for what period the website was unavailable;
• if there is the possibility of a leak of personal customer data and other strategic information;
• additional information about the company's data protection methodologies;
• demonstrations on the recovery plan executed;
• what is the expected deadline for the definitive solution of the problem;
• what service channels are available to consumers during the occurrence;
• the communications sent to consumers and market to clarify the facts; 
• prove the means of access by the consumer to the website targeted by the cyber attack;
• informing which sort of data is necessary to carry out the registration and transactions on the website;
• clarify questions about the encryption process used in the collection, treatment and storage of customer data; and
• questions about the existence or not of a named data protection officer as provided by the Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) ('LGPD')

The company must respond to Procon by 25 August 2021.

You can read the press release, only available in Portuguese, here.