RedMart fined S$72,000 for data breach resulting in online sale of customer data

RedMart fined S$72,000 for data breach resulting in online sale of customer data

SINGAPORE: Grocery delivery provider RedMart has been fined S$72, 000 by Singapore’s privacy watchdog for failing to setup place reasonable security measures to protect personal data in its ownership.

Within October 2020, the private information of RedMart user accounts was found to be put up available for purchase on an online community forum . This information, stolen from a customer data source, included names, encrypted passwords, phone numbers plus partial credit card amounts.

Confirming the data breach that month, e-commerce platform Lazada, which owns RedMart, said the information taken was from a RedMart-only database that had not been updated since March 2019 and was  not linked to any kind of Lazada database.

The Singapore’s Personal Data Protection Percentage (PDPC) said upon Monday (Dec 19) that it was first notified of the incident upon Oct 29, 2020, and subsequently began investigations.

Within a written decision that laid out the facts from the case, its investigations and considerations, it noted that RedMart set out to integrate its platforms  with Lazada after being acquired in 2016. Provided the substantial time and resources necessary, this integration — involving a re-design and migration associated with relevant databases and applications to an impair infrastructure belonging to Alibaba Group, which owns Lazada – had been done in stages.

While RedMart’s customer-facing website and cellular application were migrated and ceased procedures by March 2019, the migration of Redmart’s back-end system was not completed plus remained  on an impair storage provided by Amazon . com Web Services (AWS).

This was linked to the database containing customers’ and sellers’ private information. The database had not been encrypted nor achieved it have any security password authentication requirement for access,   PDPC said.

The watchdog’s investigations showed that the unidentified threat actor exfiltrated the database in September 2020  after gaining unauthorised access to RedMart’s impair on AWS via a compromised staff account.

Subsequently, the particular database – containing the names, email addresses along with other personal data associated with around 898, 791 individuals – has been found on an online discussion board being offered for sale.

While the affected data source was placed at the rear of “various levels of safety controls” such as the utilization of several access secrets, PDPC noted that this complexity in the organisation’s network architecture “does not paper within the cracks in its protection arrangements”.

“At every level of protection, the organisation’s techniques presented clear vulnerabilities that should have been addressed, ” it had written in its judgement.

These included the way the company failed to implement reasonable access manage on its employees’ user accounts and access keys that will enabled highly-privileged access to parts of its techniques, as well as put in place separate authentication requirements for your affected database.

Following the incident, RedMart and Lazada applied several remedial steps such as deleting the compromised user accounts and doing a pressured logout and password reset for the accounts of all affected clients and sellers.

The firms also took steps to avoid the recurrence of such incidents by implementing a database authentication for all databases containing personal data and restricting access to sensitive database.