Almost 1.1 million accounts have been compromised after Singapore-based online grocery store Redmart suffered a data breach. The breach was confirmed by Redmart’s operator Lazada, a subsidiary of Chinese e-commerce giant Alibaba.
After the Friday breach, an unidentified individual has come forward to claim they have the breached database. The database allegedly entails customer personal information like mailing addresses, encrypted passwords, and partial credit card numbers. Notably, Lazada representatives have not confirmed the total number of accounts compromised.
The database accessed illegally
According to Lazada, the ‘Redmart-only database’ was accessed illegally. The database was hosted on a third-party service provider and Lazada acknowledged that it was last updated in March 2019 a period when Redmart accounts were formally integrated into the Lazada system. The database hosted personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers.
The latest breach saw Redmart customers logged out of their accounts before being promoted to reset passwords. The breach came barely a day after customers were notified of another Redmart data security incident on October 29th as part of the company’s regular monitoring.
Lazada has maintained that its customers were not affected by the breach since it was solely on the Redmart platform. A spokesperson from the company notes that the affected database was a legacy system that was no longer in use with no links to the Lazada database. However, Lazada has not issued further information on why the database was left open and how the breach occurred.
The spokesperson further noted that the individual in possession of the database has been identified by the cybersecurity team. Immediate action has allegedly been taken to stop any further unauthorized access.
Credit card information safe
In an FAQ posted on its website, Lazada has assured that credit card information for customers was safe. The FAQ adds that:
“Nonetheless, we recommend that you keep vigilant and monitor for any unusual activity or suspicious transactions on your credit cards.”
Lazada said it had voluntarily notified the breach to the Singapore’s Personal Data Protection Commission (PDPC) as required by the law. The requirement to report suspected data breaches is contained in Singapore’s Personal Data Protection Act (PDPA). The report should be made within 72 hours and affecting more than 500 individuals.
Lazada acquired Redmart in November 2016 and in January last year, it began plans to integrate the RedMart app into its e-commerce platform. Lazada was acquired by Alibaba in April 2016.