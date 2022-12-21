SINGAPORE: Grocery delivery service RedMart has been fined S$72,000 by Singapore’s privacy watchdog for failing to put in place reasonable security measures to protect personal data in its possession.

In October 2020, the personal information of RedMart user accounts was found to be put up for sale on an online forum. This information, stolen from a customer database, included names, encrypted passwords, phone numbers and partial credit card numbers.

Confirming the data breach that month, e-commerce platform Lazada, which owns RedMart, said the information stolen was from a RedMart-only database that had not been updated since March 2019 and was not linked to any Lazada database.

The Singapore’s Personal Data Protection Commission (PDPC) said on Monday (Dec 19) that it was first notified of the incident on Oct 29, 2020, and subsequently began investigations.

In a written decision that laid out the facts of the case, its investigations and considerations, it noted that RedMart set out to integrate its platforms with Lazada after being acquired in 2016. Given the substantial time and resources required, this integration - involving a re-design and migration of relevant databases and applications to a cloud infrastructure belonging to Alibaba Group, which owns Lazada - was done in stages.

While RedMart's customer-facing website and mobile application were migrated and ceased operations by March 2019, the migration of Redmart’s back-end system was not completed and remained on a cloud storage provided by Amazon Web Services (AWS).

This was linked to the database containing customers' and sellers' personal information. The database was not encrypted nor did it have any password authentication requirement for access, PDPC said.

The watchdog's investigations showed that an unidentified threat actor exfiltrated the database in September 2020 after gaining unauthorised access to RedMart's cloud on AWS via a compromised staff account.

Subsequently, the database – containing the names, email addresses and other personal data of around 898,791 individuals – was found on an online forum being offered for sale.

While the affected database was placed behind “various levels of security controls” such as the use of several access keys, PDPC noted that the complexity in the organisation’s network architecture “does not paper over the cracks in its security arrangements”.

“At every level of defence, the organisation’s systems presented clear vulnerabilities that should have been addressed,” it wrote in its judgement.

These included how the company failed to implement reasonable access control on its employees’ user accounts and access keys that enabled highly-privileged access to parts of its systems, as well as put in place separate authentication requirements for the affected database.

Following the incident, RedMart and Lazada implemented several remedial measures such as deleting the compromised user account and doing a forced logout and password reset for the accounts of all affected customers and sellers.

The firms also took steps to prevent the recurrence of such incidents by implementing a database authentication for all databases containing personal data and restricting access to sensitive database.