[ad_1]
Singapore-based online grocery platform RedMart has suffered a data breach that compromised the personal data of 1.1 million accounts. A person has claimed to be in possession of the database involved in the breach, which contains various personal information such as email addresses, encrypted passwords, and partial credit card numbers.
RedMart customers on Friday were disconnected from their accounts and asked to reset their passwords before logging in again. They were also informed of a “RedMart data security incident” that was discovered the day before, on October 29, as part of “regular proactive monitoring” conducted by the company’s cybersecurity team.
In its note to clients, RedMart’s parent company Lazada said the breach led to unauthorized access to a “RedMart exclusive database” that was hosted by an external service provider. The data in this system was last updated in March 2019 and contained personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers.
Lazada announced plans in January 2019 to integrate the RedMart app into its e-commerce platform, more than two years after it acquired RedMart in November 2016. It also revealed plans to expand the online grocery service to other markets in Southeast Asia. . Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016.
Lazada had emphasized that the breach affected only RedMart accounts and did not affect Lazada’s customer data. The RedMart accounts were formally integrated as of March 15, 2019, the same month that the compromised database was last updated.
ZDNet asked Lazada several questions, including how and when the breach occurred, why the database was left active because it was no longer in use, and the resource for customers who might experience a fraudulent credit card transaction due to the infringement of RedMart.
Lazada did not directly address most of the questions, but confirmed that 1.1 million accounts were affected.
A spokesperson said the compromised database was a “legacy” system that was no longer in use and was not linked to any Lazada database.
He added that the company’s cyber security had discovered an individual claiming to be in possession of the database and took “immediate steps” to block unauthorized access to the machine.
In a FAQ posted on his website about the security incident, Lazada said that customers’ credit card information was “generally safe” as it did not store the full 16-digit card number and CVV in its systems. that are required for payment. “However, we recommend that you remain vigilant and monitor any unusual activity or suspicious transactions on your credit cards,” he said.
Lazada said he had “voluntarily” reported the security incident to the Singapore Personal Data Protection Commission (PDPC) and was in contact with other relevant authorities, including the Singapore Police.
Under Singapore’s Personal Data Protection Act (PDPA), organizations are expected to notify authorities of an alleged data security breach if it affects more than 500 people or if “harm is likely to occur.” or significant impact “to people due to the violation. They must also do so no later than 72 hours after completing their breach assessment and should take no more than 30 days to complete an investigation into an alleged data security breach.
The PDPA is administered by the PDPC.
