Singapore-based online grocery platform RedMart is a victim of a major data breach, which had compromised the personal data and records of about 1.1 million customers. The responsibility for the action has been claimed by a person, who also claims to possess the database involved in the breach. This database contains personal and sensitive information like name, mailing address, encrypted passwords, and partial credit numbers.
On Friday, customers reported that they had been logged out of their accounts, and had received notifications and prompts, asking them to reset their passwords before re-logging in. Customers were informed about a data security incident at RedMart that was discovered on the previous day. The breach was found while the cybersecurity team was carrying out a ‘regular proactive monitoring’ check.
Lazada, the parent company which owns RedMart, informed customers about the breach, allowing the threat actors to have unauthorized access to a RedMart-only database, which had been hosted on a third-party service provider. The data on this system was last updated in March 2019, and it contained personal information like the names of customers, their contact details, encrypted passwords, and partial credit card numbers.
Lazada had announced plans to integrate RedMart app into its platform in January 1029, and also plans to expand the online grocery service to other Southeast Asian markets. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016.
Lazada has stressed the fact that the attack had only compromised RedMart accounts, and did not affect the data of other Lazada customers. Though several questions were asked regarding the breach, why the database was still active if no longer in use, Lazada did not answer most questions directly. They however did confirm that 1.1 million accounts have been affected.
The compromised database was a ‘legacy’ system, that was no longer in use, and neither was it linked to any Lazada database. The company’s cybersecurity team had discovered an individual, who claimed to be in possession of the database. They have taken “immediate action” to ensure the individual no longer had access to the machine.
Several FAQs were posted on the website after the incident. Customers wanted to know regarding the security incident, and Lazada said that customers’ credit card information is “generally safe” on their systems as they did not store the full 16-digit card number and the CVV on its systems. The answer said, “Nonetheless, we recommend that you keep vigilant and monitor for any unusual activity or suspicious transactions on your credit cards,
Lazada has “voluntarily” reported the incident to Singapore’s Personal Data Protection Commission (PDPC). They are in touch with the proper authorities regarding the case, including the Singapore Police Force. According to laws by the PDPA, firms are required to notify the authorities of a suspected data security breach immediately, if it can cause harm to over 500 individuals. The report must be filed within 72 hours of completing the breach assessment, and should not take more than a month to investigate the suspected data breach.