WHAT HAPPENED
In October 2020, a third party notified the PDPC about an online forum that was selling personal data from various e-commerce sites around the world.
The same post in the forum listed for sale personal information from 1.1 million RedMart accounts. The grocery delivery service, which is owned by e-commerce platform Lazada, was fined S$72,000 last year.
According to the post, the eatigo accounts affected were in Singapore, Hong Kong and Thailand.
Eatigo began investigating when it was informed of the data breach by the PDPC, a user as well as a CNA journalist. It found that the personal data for sale matched the structure of a legacy database containing user data as of late 2018.
The database was last updated then, and was hosted on the infrastructure of a cloud service provider in Singapore.
Eatigo then moved to its current online platform, a process which involved a complete redevelopment of data storage of infrastructure.
The company kept the database to support the migration of data to the new platform, but it transitioned to a new engineering team and did not conduct a proper handover, which meant the team did not know about the database.
The firm’s former chief technology officer had resigned a few months ago, along with various engineers whom he recruited.
The database was also not included in eatigo’s virtual private network infrastructure after the migration.
Eatigo was unable to determine exactly when the threat actor illegally gained access to the database, but this likely happened between 2018 and 2020 when the data was put up for sale.
During this period, the database was accessible from the Internet. Anyone who had the requisite credentials could access it too, but no eatigo employees had these credentials or knew about the database.