Singapore-based online grocery platform RedMart has suffered a data breach that compromised personal data of 1.1 million accounts. An individual has claimed to be in possession of the database involved in the breach, which contains various personal information such as mailing addresses, encrypted passwords, and partial credit card numbers. 

RedMart customers on Friday were logged out of their accounts and prompted to reset their passwords before relogging in. They also were informed of a “RedMart data security incident” that was discovered the day before, on October 29, as part of “regular proactive monitoring” carried out by the company’s cybersecurity team. 

In its note to customers, RedMart’s parent company Lazada said the breach led to unauthorised access to a “RedMart-only database” that was hosted on a third-party service provider. Data on this system was last updated on March 2019 and contained personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers. 

Lazada in January 2019 announced plans to integrate the RedMart app into its e-commerce platform, more than two years after it acquired RedMart in November 2016. It also unveiled plans to expand the online grocery service to other Southeast Asian markets. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016.

Lazada had stressed the breach impacted only RedMart accounts, and did not affect the data of Lazada’s customers. RedMart accounts were formally integrated from March 15, 2019 — the same month the compromised database was last updated.

ZDNet asked Lazada several questions including how and when the breach happened, why the database was left active since it was no longer in use, and the recourse for customers who might experience a fraudulent credit card transaction due to the RedMart breach. 

Lazada did not directly address most of the questions, but did confirm that 1.1 million accounts were affected.

A spokesperson said the compromised database was a “legacy” system that was no longer in use and not linked to any Lazada database. 

He added that the company’s cybersecurity had discovered an individual claiming to be in possession of the database and took “immediate action” to block unauthorised access to the machine.

In an FAQ posted on its website regarding the security incident, Lazada said customers’ credit card information was “generally safe” as it did not store the full 16-digit card number and CVV on its systems that are required for payment. “Nonetheless, we recommend that you keep vigilant and monitor for any unusual activity or suspicious transactions on your credit cards,” it noted.

Lazada said it had “voluntarily” reported the security incident to Singapore’s Personal Data Protection Commission (PDPC) and was in touch with other relevant authorities, including the Singapore Police Force.

Under Singapore’s Personal Data Protection Act (PDPA), organisations are expected to notify the authorities of a suspected data security breach if it affects more than 500 individuals or where “significant harm or impact” to the individuals are likely to occur due to the breach. They also must do so no later than 72 hours after completing their assessment of the breach and take no more than 30 days to complete an investigation into a suspected data security breach.

The PDPA is administered by the PDPC. 

RELATED COVERAGE