Singapore-based online grocery platform RedMart, suffered a data breach that compromised personal data of 1.1 million of its users.
Users realized when they were suddenly logged out of their accounts, and prompted to reset their passwords before relogging in. After that, they were then informed that a "RedMart data security incident" was discovered a day earlier, on October 29, as part of "regular proactive monitoring" carried out by the company.
Inside the note, RedMart's parent company Lazada said that the security incident was a breach led to unauthorized access to a "RedMart-only database" that was hosted on a third-party service provider.
The database that was last updated in March 2019, contained personal information or RedMart users, including names, email addresses, phone numbers, encrypted passwords, and partial credit card numbers.
When asked, Lazada stressed the breach impacted only RedMart accounts, and that breach didn't at all affect Lazada's customers.
Lazada that was acquired by Chinese e-commerce titan Alibaba back in April 2016, acquired RedMart in November 2016. It then integrated RedMart into its e-commerce platform in March 15, 2019.
The database was apparently last updated the same month it was compromised.
Its spokesperson said the compromised database was a "legacy" system that was no longer in use.
Lazada realized about the breach after its cybersecurity team discovered an individual claiming to be in possession of the database. Lazada took "immediate action" to block unauthorized access to the machine to prevent further damage.
In an announcement on its website regarding the incident, Lazada said that it discovered the breach during the course of regular proactive monitoring.
Under Singapore's Personal Data Protection Act (PDPA), companies are expected to notify the authorities of a suspected data security breach if it affects more than 500 individuals, or where "significant harm or impact" to the individuals are likely to occur due to the breach.
Companies should also notify the authorities no later than 72 hours after completing their assessment of the breach and take no more than 30 days to complete an investigation into a suspected data security breach.
What makes this security incident alarming is that, Singapore is a small country with only 5.7 million citizens. Since RedMart is a Singapore-based service, this means that the breach affected about a fifth of the population.
Despite the compromised database from the grocery arm of RedMart was more than 18 months old, there are chances that many of the database entries haven't changed until the hack happened.
What this means, a portion of the 1.1 million users is faced with possible scam and phishing attacks.
Founded in August 2011, RedMart is reportedly Singapore's largest online supermarket.
Co-founded by Roger Egan III, Vikram Rupani, and Rajesh Lingappa, RedMart overtook Cold Storage, and reportedly sells more than 100,000 products and offers home delivery seven days a week all year round.
It was reported that Lazada acquired RedMart for around $30 million to $40 million.