The Lazada application seen displayed on a iPhone.
Guillaume Payen | LightRocket | Getty Images
SINGAPORE — Southeast Asian e-commerce firm Lazada said it detected a data breach that exposed personal details of many users in Singapore.
Lazada’s cybersecurity team discovered on Thursday last week that there was illegal access to a customer database for RedMart, the online grocery delivery service in the city-state. The Alibaba-owned company said the information contained in the database was “more than 18 months out of date.”
The database was used by the now decommissioned RedMart app and website and was hosted on a third-party service provider, according to Lazada.
Lazada bought RedMart in late-2016 and last March, it integrated the grocery delivery service with its own app and website — about the same time that the affected database was last updated.
Singapore’s Channel News Asia first reported the incident. The news network said it accessed an online forum which “was purportedly selling personal data” — such as names, telephone numbers, email and passwords — from various e-commerce sites around the world, including the stolen information from Lazada.
CNBC could not independently confirm the contents of the online forum. However, Lazada confirmed to CNBC that personal information from 1.1 million RedMart accounts were compromised.
Information that was illegally accessed included names, phone numbers, addresses, encrypted passwords and partial credit card numbers of RedMart customers. Affected users were logged out of their existing accounts and were prompted to reset their password before logging in. Lazada also said it blocked access to the database immediately.
“Protecting the data and privacy of our users is of utmost importance to us,” Lazada said in a statement on Friday. “Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to our users.”
The company said it reported the incident to Singapore’s Personal Data Protection Commission, which enforces the city-state’s personal data protection act. Legislation requires companies to notify the commission and affected individuals of a data breach if it involves the personal data of 500 or more people.
A spokesperson from the commission told CNBC that it’s aware of the incident and is investigating the matter.
A Lazada spokesperson pointed to the statement on Friday when asked if there have been any updates on its investigations into the security breach.
On its website, Lazada said the affected database was not linked to any of its current database.
RedMart saw a surge in usage this year as more people turned to online grocery shopping when the coronavirus pandemic first erupted and Singapore went into a partial lockdown. Online grocery sales on the platform jumped four times after the city-state introduced movement restrictions from early April.
