RedMart fined S$72,000 for data breach resulting in online sale of customer data
The names, email addresses and other personal data of around 898,791 individuals were stolen from a database in September 2020 and later put up for sale online.
SINGAPORE: Grocery delivery service RedMart has been fined S$72,000 by Singapore’s privacy watchdog for failing to put in place reasonable security measures to protect personal data in its possession.
In October 2020, the personal information of RedMart user accounts was found to be put up for sale on an online forum. This information, stolen from a customer database, included names, encrypted passwords, phone numbers and partial credit card numbers.
Confirming the data breach that month, e-commerce platform Lazada, which owns RedMart, said the information stolen was from a RedMart-only database that had not been updated since March 2019 and was not linked to any Lazada database.
The Singapore’s Personal Data Protection Commission (PDPC) said on Monday (Dec 19) that it was first notified of the incident on Oct 29, 2020, and subsequently began investigations.
In a written decision that laid out the facts of the case, its investigations and considerations, it noted that RedMart set out to integrate its platforms with Lazada after being acquired in 2016. Given the substantial time and resources required, this integration - involving a re-design and migration of relevant databases and applications to a cloud infrastructure belonging to Alibaba Group, which owns Lazada - was done in stages.
While RedMart's customer-facing website and mobile application were migrated and ceased operations by March 2019, the migration of Redmart’s back-end system was not completed and remained on a cloud storage provided by Amazon Web Services (AWS).
This was linked to the database containing customers' and sellers' personal information. The database was not encrypted nor did it have any password authentication requirement for access, PDPC said.
The watchdog's investigations showed that an unidentified threat actor exfiltrated the database in September 2020 after gaining unauthorised access to RedMart's cloud on AWS via a compromised staff account.
Subsequently, the database – containing the names, email addresses and other personal data of around 898,791 individuals – was found on an online forum being offered for sale.
While the affected database was placed behind “various levels of security controls” such as the use of several access keys, PDPC noted that the complexity in the organisation’s network architecture “does not paper over the cracks in its security arrangements”.
“At every level of defence, the organisation’s systems presented clear vulnerabilities that should have been addressed,” it wrote in its judgement.
These included how the company failed to implement reasonable access control on its employees’ user accounts and access keys that enabled highly-privileged access to parts of its systems, as well as put in place separate authentication requirements for the affected database.
Following the incident, RedMart and Lazada implemented several remedial measures such as deleting the compromised user account and doing a forced logout and password reset for the accounts of all affected customers and sellers.
The firms also took steps to prevent the recurrence of such incidents by implementing a database authentication for all databases containing personal data and restricting access to sensitive database.
The PDPC said there is “no one size fits all” approach when it comes to protecting personal data. Each organisation should consider adopting security arrangements that are reasonable and appropriate by, for example, considering the nature of the personal data and the possible impact to the individual concerned if an unauthorised person obtained, modified or disposed of the data.
In the case of RedMart, it noted that it was “incumbent on the organisation to implement policies and practices that commensurate with the organisation’s higher-level security needs to discharge its obligation under the protection obligation” given the high volume of personal data in the affected database.
“For the reasons set out, it is determined that the organisation failed to implement reasonable security arrangements to protect the affected database from the risk of unauthorised access,” the watchdog said.
In determining its decision, the commission said it took into account several “mitigating factors” such as how RedMart implemented swift mitigation measures, cooperated with the investigations and responded to the commission's queries in a prompt and forthcoming manner.
After being informed of PDPC's decision, RedMart sought for a reduction in the financial penalty, citing that this was its first breach of the Personal Data Protection Act and that it had voluntarily notified the commission and affected individuals even though it was not legally obliged to do so.
The company also said it was not aware of any misuse involving the personal data of affected individuals.
PDPC said the first two factors were already taken into account in its preliminary decision hence did not merit any reductions in the financial penalty. It also ruled out the company's point about the lack of personal data being misused, describing it as “neither here or there”.
“Whilst evidence of exploitative use may be a relevant factor of harm that may be relevant for enhancing the financial penalty, the inverse is not necessarily true,” it added.
In response to CNA's queries, a Lazada spokesperson said RedMart has worked closely with the PDPC since the incident and further strengthened its data security protection measures and practices.
“We have come out from this a stronger organisation with better data security practices, and are confident that our customer data is secure," said the spokesperson.
"With this matter behind us, Lazada will continue to safeguard our customers' data, and maintain the security and trust of customers as a top priority."