Singapore-based online grocery platform RedMart was impacted by a data breach in which the personal data of 1.1 million accounts were compromised.
RedMart customers were logged out of their accounts and they were asked to reset their passwords before relogging in. They were also informed of a “RedMart data security incident” that was found the previous day as part of “regular proactive monitoring” performed by the company’s cybersecurity team.
RedMart’s parent company Lazada notified their customers that the breach led to unauthorized access to a “RedMart-only database” which was hosted on a third-party service provider. The data included personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers.
In January 2019, Lazada decided to integrate the RedMart app into its e-commerce platform after it acquired RedMart in November 2016. They also had plans to expand the online grocery service to other Southeast Asian markets. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016.
Lazada confirmed that the breach affected only RedMart accounts, and that the data of Lazada’s customers remained unaffected. They confirmed that 1.1 million accounts were affected in the breach.
According to a spokesperson, the compromised database was a “legacy” system that was no longer in use and not linked to any Lazada database. He also stated that the security team of the company found an individual claiming to be in possession of the database and took “immediate action” to block unauthorized access to the machine.
Lazada had posted on their site’s FAQ section about the security incident that the customers’ credit card information was safe as it did not store the full 16-digit card number and CVV on its systems that are required for payment.
However, they advise the customers to be vigilant and check for any suspicious activity on the credit cards.
Lazada had reported the incident to Singapore’s Personal Data Protection Commission (PDPC) and other relevant authorities.
Under Singapore’s Personal Data Protection Act (PDPA), organizations are required to notify the authorities of a suspected data security breach if it affects more than 500 individuals or where “significant harm or impact” to the individuals are likely to occur due to the breach.
It must also be done within 72 hours after completing their assessment of the breach and take no more than 30 days to complete an investigation into a suspected data security breach.
Image Credits : Mothership