Data Leak of Names, RUT, and Phone Numbers in Hidden Internet Leads to Collective Procedure Against Automotive Company Following ODECU Complaint

Original article: Filtración de nombres, RUT y teléfonos habría llegado a la internet oculta: inician procedimiento contra empresa automotriz tras denuncia de ODECU

A suspected data breach involving León Servicio Automotriz has prompted the initiation of a Collective Voluntary Procedure (PVC) by the National Consumer Service (SERNAC). This action was triggered by a substantiated complaint filed by the Consumer and User Organization (ODECU) against León Corp SpA (León Servicio Automotriz), the owner of the website Leon.cl.

According to ODECU’s findings, approximately 392,000 consumer records may have been exposed and are circulating in the hidden internet or deep web. The database reportedly contains sensitive information, including full names, addresses, email addresses, phone numbers, RUT numbers, and automotive service details.

As per the consumer group’s statement, the breach was initially detected on July 8, 2025, by the National Cybersecurity Agency (ANCI), which confirmed the existence of a database linked to the automotive service company.

Deep Web and Sensitive Data: Why SERNAC Sees a «Serious Risk» to Consumers

Exercising its authority, SERNAC reached out to both León Corp SpA and ANCI, seeking information regarding the case. In its response, the company denied any mass data breach, claiming that the reported incidents «do not reflect reality» and that only a limited incident involving a specific client was detected.

Despite this response, SERNAC warned that this situation seriously jeopardizes the affected consumers in terms of fraud, identity theft, and other potential financial or moral damages, considering the volume and sensitivity of the reportedly leaked data.

After evaluating the evidence and confirming a significant potential violation of consumer rights—particularly the rights to security, privacy, and the protection of personal data—SERNAC decided to initiate a Collective Voluntary Procedure with the company.

What is the Goal of the Collective Voluntary Procedure in This Case?

SERNAC clarified that the primary aim of the PVC is to obtain concrete reparative measures for consumers affected by the alleged data leak at León Servicio Automotriz, as well as to ensure the company implements effective security protocols and personal data management to prevent similar incidents in the future.

The Acting National Director of SERNAC, Carolina González, emphasized: «The protection of personal data is a fundamental right for consumers, and incidents of this nature are unacceptable, especially when they expose sensitive information on a massive scale. The Service will employ all its legal powers to ensure appropriate reparations for affected consumers and to guarantee that the company meets the highest standards of information security.»

From ODECU, its president Stefan Larenas welcomed the decision and highlighted the unprecedented nature of the process: «This is good news for consumers. It is the first Collective Voluntary Procedure initiated from a complaint filed by a consumer association, underscoring the importance of organized civil society in protecting their rights.»

The leader added: «We hope that the company takes responsibility, repairs the damage caused, and adopts preventive measures to mitigate the risks of fraud associated with the data leak.»

What is a Collective Voluntary Procedure (PVC)?

The Collective Voluntary Procedure is a SERNAC authority aimed at achieving a prompt, comprehensive, and transparent solution that safeguards the collective interest of consumers affected by corporate conduct.

The maximum duration of a PVC is three months, starting from the third business day after the company is notified of the resolution that initiates it. This timeframe may be extended only once, by an additional three months, through a substantiated resolution by SERNAC, either upon the company’s request or at the Service’s discretion.

In this case, ODECU has announced that it will continue monitoring the development of the procedure to ensure that the adopted measures are effective, transparent, and timely for consumers whose data may have been exposed on the deep web.