Alibaba-owned Lazada suffers from a knowledge breach for its Singapore grocery supply enterprise


The Lazada application is displayed on an iPhone.

Guillaume Payen | LightRocket | Getty Images

SINGAPORE – Southeast Asian e-commerce company Lazada has discovered a data breach that exposed the personal information of many users in Singapore.

Lazada's cybersecurity team discovered last Thursday that RedMart, the city-state's online grocery delivery company, had illegal access to a customer database. The Alibaba-owned company said the information in the database was "more than 18 months out of date".

The database was used by the now-retired RedMart app and website and was hosted by a third party, according to Lazada.

Lazada bought RedMart in late 2016 and integrated grocery delivery into its own app and website in March of last year – around the same time the affected database was last updated.

Singapore's Channel News Asia first covered the incident. The news network claimed to have accessed an online forum selling "allegedly personal information" such as names, phone numbers, emails, and passwords from various e-commerce websites around the world, including information stolen from Lazada.

CNBC was unable to independently validate the content of the online forum. However, Lazada confirmed to CNBC that personal information from 1.1 million RedMart accounts had been compromised.

The information that was illegally accessed included names, phone numbers, addresses, encrypted passwords and, in some cases, credit card numbers of RedMart customers. Affected users have been logged out of their existing accounts and asked to reset their password before logging in. Lazada also stated that it immediately blocked access to the database.

"The protection of the data and the privacy of our users is of the utmost importance to us," said Lazada in a statement on Friday. "Aside from reviewing and strengthening our security infrastructure, we are working very closely with the relevant authorities on this incident and we continue to strive to provide our users with the support they need."

The company reported the incident to the Singapore Data Protection Commission, which is enforcing the city-state's Personal Data Protection Act. Legislation requires companies to notify the Commission and data subjects of a data breach when it concerns personal data of 500 or more people.

A commission spokesman told CNBC that he was aware of the incident and is investigating the matter.

A Lazada spokesman pointed to the statement Friday when asked if there had been any updates on his investigation into the security breach.

On his website, Lazada said the affected database was not linked to any of its current databases.

RedMart saw a surge in usage this year as more people turned to shopping for groceries online when the coronavirus pandemic first broke out and Singapore was partially banned. Online grocery sales on the platform rose four times after the city-state introduced movement restrictions in early April.


Katherine Clark