Lazada, owned by Alibaba, suffers a data breach on RedMart



[ad_1]

The Lazada application seen on an iPhone.

Guillaume Payen | LightRocket | fake images

SINGAPORE – Southeast Asian e-commerce company Lazada said it detected a data breach that exposed the personal data of many users in Singapore.

Lazada’s cybersecurity team discovered on Thursday last week that there was illegal access to a customer database for RedMart, the online grocery delivery service in the city-state. The Alibaba-owned company said the information in the database was “more than 18 months out of date.”

The database was used by the now decommissioned RedMart website and app and was hosted by a third-party service provider, according to Lazada.

Lazada bought RedMart at the end of 2016 and last March integrated the grocery delivery service with its own app and website, around the same time that the affected database was last updated.

Singapore’s Channel News Asia first reported the incident. The news network said it accessed an online forum that “allegedly sold personal data,” such as names, phone numbers, email addresses and passwords, from various e-commerce sites around the world, including information stolen from Lazada.

CNBC could not independently confirm the content of the online forum. However, Lazada confirmed to CNBC that the personal information of 1.1 million RedMart accounts was compromised.

The illegally accessed information included names, phone numbers, addresses, encrypted passwords and partial credit card numbers of RedMart customers. Affected users were disconnected from their existing accounts and were asked to reset their password before logging in. Lazada also said that he blocked access to the database immediately.

“Protecting the data and privacy of our users is of the utmost importance to us,” Lazada said in a statement Friday. “In addition to reviewing and strengthening our security infrastructure, we are working closely with the relevant authorities on this incident and remain committed to providing all necessary support to our users.”

The company said it reported the incident to Singapore’s Personal Data Protection Commission, which enforces the city-state’s personal data protection law. The law requires companies to notify the commission and affected persons of a data breach if it involves the personal data of 500 or more persons.

A spokesperson for the commission told CNBC that it is aware of the incident and is investigating the matter.

A spokesperson for Lazada pointed to the statement on Friday when asked if there were updates on his investigations into the security breach.

On his website, Lazada said that the affected database was not linked to any of his current database.

RedMart saw a spike in usage this year as more people turned to online shopping when the coronavirus pandemic broke out and Singapore entered a partial lockdown. Online grocery sales on the platform increased fourfold after the city-state introduced movement restrictions since early April.

[ad_2]