That Lazada's online grocery platform RedMart has suffered a serious data breach this week should come as no surprise, especially since it has made several public missteps after folding the app into its own e-commerce app more than a year ago. The security oversight underscores the importance of putting in place a proper integration strategy when companies merge and one that should continue to be reviewed even after the transition is complete.
News broke late-Friday that the data of 1.1 million RedMart accounts had been compromised[1], after an individual claimed to have access to a database containing their personal information including names, mailing addresses, email addresses, phone numbers, encrypted passwords, and partial credit card numbers.
Lazada, which acquired RedMart[2] in November 2016, sent a note Friday to affected customers informing them of a "RedMart data security incident" that it said was uncovered the day before, on October 29, as part of "regular proactive monitoring" carried out by the company's cybersecurity team. RedMart customers were automatically logged out of their accounts and prompted to reset their passwords before relogging in.
In its note, Lazada said the breach led to unauthorised access to a "RedMart-only database" that was hosted on a third-party service provider and had contained "out of date" customer data that was last updated on March 2019. It added that "immediate action" was taken to block the illegal access and that Lazada's own customer data was not affected by the breach.
The Southeast Asian e-commerce operator in January 2019 announced plans to integrate the RedMart app[3] into its platform, more than two years after it acquired RedMart. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016[4]. RedMart accounts were formally integrated on March 15, 2019