Singapore-based online grocery platform RedMart has suffered a data breach that compromised personal data of 1.1 million accounts. An individual has claimed to be in possession of the database involved in the breach, which contains various personal information such as mailing addresses, encrypted passwords, and partial credit card numbers.
RedMart customers on Friday were logged out of their accounts and prompted to reset their passwords before relogging in. They also were informed of a "RedMart data security incident" that was discovered the day before, on October 29, as part of "regular proactive monitoring" carried out by the company's cybersecurity team.
In its note to customers, RedMart's parent company Lazada[1] said the breach led to unauthorised access to a "RedMart-only database" that was hosted on a third-party service provider. Data on this system was last updated on March 2019 and contained personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers.
Lazada in January 2019 announced plans to integrate the RedMart app[2] into its e-commerce platform, more than two years after it acquired RedMart in November 2016. It also unveiled plans to expand the online grocery service to other Southeast Asian markets. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016[3].
Lazada had stressed the breach impacted only RedMart accounts, and did not affect the data of Lazada's customers. RedMart accounts were formally integrated from March 15, 2019 -- the same month the compromised database was last updated.
ZDNet asked Lazada several questions including how and when the breach happened, why the database was left active since it was no longer in use, and the recourse for customers who might experience a fraudulent credit card transaction due to the RedMart breach.
Lazada did not directly