SINGAPORE: Personal information from 1.1 million RedMart accounts was stolen from e-commerce platform Lazada and sold online in a data breach.
A Lazada spokesperson confirmed this on Friday (Oct 30).
CNA had earlier come across an online forum which was purportedly selling personal data from various e-commerce sites around the world, including Lazada.
The site claimed to have information like names, phone numbers and partial credit card numbers from about 1.1 million users.
"Our cybersecurity team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company," a spokesperson from Lazada said in a statement, referring to the online supermarket platform it acquired in 2016.
Lazada added that the information stolen was last updated in March 2019, and the affected RedMart-only database is not linked to any Lazada database.
"This RedMart-only information is more than 18 months out of date and not linked to any Lazada database. The user information that was illegally accessed include names, phone numbers, email and mailing addresses, encrypted passwords and partial credit card numbers. We have taken immediate action to block unauthorised access to the database."
Lazada is investigating the data breach and has informed the Personal Data Protection Commission.
"We have taken immediate action to block unauthorised access to the database," the Lazada spokesperson said.
"Protecting the data and privacy of our customers is a top priority, and we are working swiftly to resolve this."
In an email to customers, Lazada said it discovered the breach on Thursday as part of its "proactive monitoring", adding that its current customer data is not affected.
"Your existing Lazada account password is protected by encryption," it said.
"As a further security measure, we have logged you out of your existing account and you will be requested to input a new password upon your login."
It also warned customers to be on the alert for spam emails requesting personal information.
"Lazada does not request customers to verify your personal information," it added.
A spokesperson for the Personal Data Protection Commission said it is aware of the incident and is investigating.