TL;DR: Cyberattacks in Latin America rose 38% last year, and incidents affecting Mercado Libre, Samsung, Nvidia, and PressReader show how account compromise, data extortion, and system takeover can spread quickly across large enterprises, according to GlobalSign. The pattern reinforces that identity controls, not just perimeter security, determine how far attackers can move once access is obtained.
NHIMG editorial — based on content published by GlobalSign: major cyberattacks in Latin America, including Mercado Libre, Samsung, Nvidia, and PressReader
By the numbers:
- Cyberattacks in Latin America increased 38% last year.
- Police in the UK charged one 16-year-old and one 17-year-old in connection with related cyber offences.
Questions worth separating out
Q: What breaks when an attacker gets a valid user account instead of malware?
A: A valid account bypasses many perimeter defenses and often looks legitimate in logs, which makes early detection harder.
Q: Why do compromised identities create such large blast radius in enterprise incidents?
A: Because access is usually broader than organisations expect.
Q: How can security teams know whether identity controls are actually reducing breach impact?
A: Look for evidence that suspicious accounts are contained fast, active sessions are terminated, and privileged access is limited to the smallest possible set of systems.
Practitioner guidance
- Tighten account-level containment workflows Create playbooks that isolate suspicious user accounts immediately, revoke active sessions, and force re-authentication before attackers can pivot to other systems.
- Map high-risk access paths Identify which employee, admin, and service identities can reach sensitive data stores, financial systems, and cloud consoles, then remove unnecessary standing access.
- Extend governance to non-human identities Apply the same lifecycle discipline to service accounts, API keys, and tokens so compromised automation does not become a hidden escalation path.
What's in the full article
GlobalSign's full blog covers the incident-by-incident detail this post intentionally leaves for the source:
- The original Spanish-language incident summaries for Mercado Libre, Samsung, Nvidia, and PressReader.
- The specific chronology of the reported attacks and the public statements made after each incident.
- The regional context GlobalSign uses to frame why Latin America remains a target for cybercriminal groups.
- The source article's exact wording on the security implications and response steps.
👉 Read GlobalSign's roundup of major cyberattacks in Latin America →
Latin America cyberattacks: what identity teams need to watch?
Explore further
Account compromise is now a governance problem, not just a user problem. When a breach begins with stolen or abused credentials, the control failure sits in identity policy, session oversight, and revocation speed. That makes IAM and access governance part of cyber incident response, not a separate administrative function. Practitioners should treat every compromised account as a potential enterprise access event.
A question worth separating out:
Q: How should organisations respond when an incident starts with stolen credentials?
A: Treat it as a containment race. Disable the account, invalidate sessions and tokens, check for privilege escalation, and verify whether the same identity can reach cloud, email, or administrative systems. Where service accounts exist, review them too, because a human compromise often exposes broader access paths.
👉 Read our full editorial: Identity-driven attack patterns are reshaping Latin America risk