Since September, Brazilian media outlets have been bringing to light a commercial dispute involving the country’s major food delivery platforms. According to a report by the news website UOL (accessed on 10/23/2025), a former iFood employee—who now works for 99Food—confessed to authorities that he had sold information to a third company. He was reportedly contacted through a social media platform by a consulting firm that offered him money to participate in interviews with one of its clients. Still according to the report, in a total of three paid interviews, he was asked for detailed information about the company’s operations, such as “iFood’s revenue by city, details about iFood’s loyalty programs, percentages of sales by payment method (debit card, credit card, and iFood Pago), in addition to his opinions about the delivery market.”
iFood is the leading player in the food delivery sector, holding roughly 80% of the market share, and its shares are traded on BOVESPA, the Brazilian stock exchange. The company has a compliance program, and the leak of trade secrets was discovered thanks to tips received through its whistleblowing channel. Still according to UOL, “the investigation seeks to determine whether the crimes of unfair competition and violation of professional secrecy were committed. He will respond while free.”
Before the end of October, it was 99Food’s turn to make headlines: a report in O Globo newspaper (accessed on 11/05/2025) states that “99 has opened an internal investigation to look into the leak of confidential company data, which may have occurred through thefts of corporate laptops and the actions of alleged consulting firms that reportedly pressured employees in search of strategic information.” The company issued a statement, from which the report highlighted an excerpt saying that “the company’s investigation will include statements and police reports from employees who were harassed in cities where 99Food operates and conducts business, as well as evidence of multiple attempts—some daily—of intrusion into the company’s internal systems and app.”
Questions That Just Won’t Go Away
Anyone working in governance, compliance, data protection, information security, or related fields knows that the human factor is a constant source of risk. The reports raise further questions, such as:
• How did the iFood employee gain access to the data he allegedly shared with the competitor? Were these data he was supposed to access based on his role, or did he exploit a vulnerability in the company’s access-permission structure?
• The 99Food laptops that were stolen or robbed—did they have backups? Password protection? Encrypted data? Did they store confidential information? Should those data even have been kept on executives’ computers, or only in the cloud?
On the other hand, the cases clearly show the importance of having a compliance program and a properly trained and aware team: in both situations, the companies detected the issue in time and have been taking action to protect themselves, including conducting internal investigations and contacting authorities. Nevertheless, considering the importance of mid-sized companies to the Brazilian economy, these news stories make it inevitable to ask: what would the situation look like if the victim were a mid-sized company?
The Fraud Triangle in Mid-Sized Companies
Fraudsters do not exist only in large corporations—quite the opposite. Donald Cressey, who coined the term “Fraud Triangle,” theorizes that for fraud to occur, three essential elements must converge: pressure, opportunity, and rationalization. In simplified terms, one could say that:
• Mid-sized companies often pay lower salaries and offer fewer benefits than large corporations. Pressure is naturally greater in the former.
• Rationalization, besides all the justifications everyone has heard around the office corridors, gains strength with the compensation issue mentioned above: “with what they pay me here, what did they expect?”
• Opportunity becomes evident when comparing compliance, data protection, and information security programs of mid-sized companies with those of larger ones. Here may lie the strongest element of the fraud triangle for mid-sized organizations: fraudsters often find a wide-open field to access the information, assets, and systems they need to commit the fraud.
It is common to see cases where employees “round up” cents from accounts receivable and transfer them to their personal accounts; sell company inventory “off the books”; or leave the company and take the client list with them. In addition, other personal data sets have value for different stakeholders. For example, payroll data may be of interest to health insurance brokers and payroll-loan companies, in which case an employee profits by selling the database through a personal data leak. This can happen in companies of any size; the difference in mid-sized ones is that, in most cases, the business owner has no option but to accept the loss, lick their wounds, and move on—if possible.
How To Protect Your Company?
Protection against these risks is not necessarily expensive or complex, but business owners must be determined not only to implement controls but to create a culture of compliance. Unfortunately, that is not what we see in most cases. In prosperous times, with growing results, it is easy to overlook that the hose feeding the company’s cash has multiple leaks, leading entrepreneurs to believe there is no reason to spend time or money on prevention. However, when difficulties arise, the leaks do not shrink—in fact, fraudsters who feel immune usually end up expanding their operations over time.
Fraudsters’ attitudes are clearly unethical, but without clear rules regarding such conduct, it may be more difficult to legally claim compensation for the harm done to the business—not to mention attempting to recover a client portfolio lost to competitors. Even when rules exist, there is still a duty of diligence. Are data properly protected against unauthorized access? Is there an access log? Is there an alert for attempted unauthorized access? Are employees conscious (not just informed) that their passwords are personal and non-transferable? Is there a code of conduct that outlines the consequences of violations? Is the code effectively enforced?
Again: it is neither expensive nor complicated to implement a compliance and data protection program. There are tools and consulting services for companies of all sizes and industries. What truly makes the difference are two key points:
• The business owner and the executive team must be committed to establishing what the market knows as “tone at the top”: they must present themselves, internally and externally, as a coalition that practices and demands compliance from employees and partners.
• The company’s cultural transformation must be actively managed, using organizational change management tools and techniques, until the necessary cultural shift is solidified.
The lack of a structured change management methodology brings the risk that change projects will be completed but not anchored in the company culture, leading employees to abandon new processes and behaviors as if they were passing trends. From the company’s perspective, this means risking investment in change, believing it is protected, and then being surprised by a problem that should no longer exist. It is the well-known “penny wise, pound foolish.” Alia Futura applies and recommends the HUCMI (Human Change Management Institute) methodology. If you’d like to learn more, we are at your service.
