Lazada RedMart Data Breach : What You Need To Know!

Lazada just admitted that a data breach involving their RedMart customer database that could affect some 1.1 million customers!

Find out what happened, and what it could mean for Lazada and RedMart customers!

 

Lazada RedMart : What Is It?

RedMart is an online grocery platform in Singapore that was founded in August 2011.

Lazada acquired RedMart in November 2016, and started to integrate it into their platform in March 2019.

This March 2019 date is important, because that was when the RedMart database was last updated.

 

Lazada RedMart Data Breach : What Happened?

The Lazada RedMart database was spotted for same in an online forum, amongst many other databases stolen from other e-commerce websites.

In this screenshot, you can see that it claims to have details on 1.1 million Lazada RedMart customers :

  • Email address
  • Password
  • Mailing address
  • Name
  • Phone number
  • Partial credit card information

Picture Credit : CNA

In a statement posted on 30 October 2020, Lazada confirmed the data breach involving their RedMart database.

They assert that only the old RedMart database that was “18 months out of date” when it was last updated in March 2019.

Singapore, 30 October 2020 – Lazada places great importance on protecting your personal information, and we value the trust you have placed with us. On 29 October 2020, as part of our proactive monitoring, our cybersecurity team discovered a data security incident in Singapore, involving a RedMart-only database hosted on a third-party service provider. The customer data hosted on this database is more than 18 months out of date as it was last updated in March 2019.

The customer information that was illegally accessed include the names, phone numbers, emails, addresses, encrypted passwords and partial credit card numbers of RedMart customers. We have taken immediate action to block unauthorised access to the database. This data was used on the previous RedMart app and website, which are no longer in use. Lazada customer data in Southeast Asia is not affected by this incident.

Protecting the data and privacy of our users is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to our users.

We want to be transparent about this incident with all of our customers and reassure you that we are taking it seriously.

They also set their platform to log out all Lazada users, and require them to register a new password.

They are also warning their users to be on the alert for spam mails requesting personal information.

 

Lazada RedMart Data Breach : What’s The Implication?

A Data Breach Is A Data Breach Is A Data Breach

Lazada may claim that the data and privacy of their users are of the utmost importance, but the data breach says otherwise.

They left a database they no longer used since March 2019 on a third-party service provider, and accessible online all this time.

Any half-decent cybersecurity specialist would have told them to take the database offline, unless it was essential to the operation of the website.

Closing The Barn Door After The Horses Have Bolted

Lazada immediately blocked unauthorised access to their RedMart database, but that’s like closing the barn door after the horses have bolted.

Once the data was stolen, all it does is prevent other attackers from stealing the data for themselves.

Lazada Migrated RedMart Users In March 2016

It seems a little disingenuous for Lazada to announce that the data was used in “the previous RedMart app and website, which are no longer in use“.

They appear to have migrated RedMart users to Lazada on 15 March 2016 using the same data that was just stolen.

Unless RedMart users changed their passwords, addresses, phone numbers, email addresses or credit card details AFTER they were migrated to the Lazada platform, they remain exposed by the data breach.

The Data Isn’t Necessarily Outdated

Most of us don’t change our logins and passwords that often. And we often reuse the same login and password combination for different websites.

So it is scant assurance that their RedMart database was last updated in March 2019, even if we take their word that it was more than 18 months out of date.

This data breach exposes all affected RedMart users to the possibility of their other accounts being breached as well.

Only Ex-RedMart Users Affected

The only saving grace we can see here is that it looks like only former RedMart users are affected by this data breach.

That means Lazada users who never registered or used the RedMart app or website are not affected.

 

Lazada RedMart Data Breach : What Can You Do?

If you ever registered for, or used, RedMart before their migration to the Lazada platform in March 2016, we highly recommend that you :

  • change your Lazada password
  • change the password of accounts that use the same password as your Lazada / RedMart account
  • do NOT click on links in emails warning you about this data breach and asking you to change your password
  • do NOT respond to calls or messages warning you about this data breach
  • do NOT respond to requests for personal information

 

Recommended Reading

Go Back To > Cybersecurity | Business | Home

 

Support Tech ARP!

If you like our work, you can help support us by visiting our sponsors, participating in the Tech ARP Forums, or even donating to our fund. Any help you can render is greatly appreciated!

Leave a ReplyCancel reply