Corporate security doesn't just fail in data centers. It fails mismanaged contracts, invisible integrations and inherited permissions without traceability. And the Gol/Smiles case is not an isolated incident, it is the synthesis of a structural risk that much of the market still underestimates.

On 12/11, Gol Linhas Aéreas confirmed unauthorized access to a third-party system operated by Smiles. The incident affected less than 0,04% of the base, but included sensitive data such as emails, documents and phones. This is enough to enable identity fraud, social engineering and blows with a high potential for reputational damage.

The problem was not technological. It was architectural. And it starts with how companies model their digital value chain.

Shared risk is indivisible responsibility

Organizations invest in firewalls and cryptography, but keep suppliers with no minimum certifications. The Gol incident exposes a key point: the failure did not occur within the main infrastructure, but in a peripheral loop, outside direct governance.

In the context of the LGPD (Art. 46 to 48), this does not exempt the company from liability. The controller is responsible for failures of its operators. Delegating does not exclude. And that is exactly the recurring mistake: treating tertiary risk as external.

“Non-sensitive” data is also input to crime

Even with cards, passwords and miles preserved, the exposure of cadastral data already represents a high risk.In our work at Vennx, we see daily how basic information feeds:

• synthetic identity fraud;
• highly segmented phishing attacks;
• sophisticated attempts at social engineering.

The damage is rarely at the base of the fingers, it emerges in the following cycles, silent, distributed and recurrent.

Security is not an answer, it is architecture

Gol's response followed the protocol: notification to the ANPD, forensic investigation and communication with incumbents. But prevention requires more than a crisis plan. It requires a continuous governance model, with visibility into the ecosystem of third parties.

Most companies still operate on the “manual and reactive” model. There is a lack of automation, integration and centralized visibility. What we call dynamic GRC is missing.

Three pillars to restructure third-party protection

1. Continuous, non-punctual due diligence

Technical audit, certification requirement (ISO 27001, SOC 2), contractual review with security clauses and joint and several liability.

2. Predictive monitoring with AI

Access traceability, API and integrations. Tools such as Oraclecross data in real time, identify deviations and correct inconsistencies automatically.

3. Responsive governance

Automated response triggers, regulatory impact mapping and contingency plans integrated across technical, legal and operational areas.

Conclusions that the market cannot ignore

Gol/Smiles is no exception. It is the symptom of an outdated architecture. And the market can no longer operate under the illusion that security is a department. It needs to be a structuring, transversal, auditable and scalable axis.

At Vennx, we create solutions that work where paper and spreadsheet don't reach. With AI, automation and governance applied to the regulatory reality of audited companies, we give visibility and control to complex systems, before, during and after risk.

‍