RedMart fined $72,000 after addresses, partial credit card info of nearly 900,000 people leaked

Grocery delivery service RedMart has been fined $72,000 after the Personal Data Protection Commission found that the personal data of nearly 900,000 people was stolen from its database in 2020 and put up for sale online.

The information stolen included names, encrypted passwords, phone numbers and partial credit card numbers, said the commission in a report on Monday.

The commission also said that in a separate incident in 2020, the personal data of visitors of Thomson Medical was accessible to the public on an open platform.

The healthcare provider was ordered to scan the Web for any signs of a data leak and to take steps to secure its data.

On the RedMart case, the commission said it investigated the matter after being notified on Oct 29, 2020, that the personal data of RedMart customers was being sold online.

It said RedMart was in the midst of integrating its platform with Lazada’s online platform after being acquired by the e-commerce giant in 2016.

RedMart’s consumer website and mobile app were closed to the public in March 2019, but behind the scenes, the shift to Lazada’s system was still under way, with a deadline set for March 2021.

The personal data of RedMart’s customers and sellers that was stored on RedMart’s systems was not encrypted and did not have any password authentication requirement for access, said the commission.

In September 2020, an unidentified attacker hacked into RedMart’s database after gaining unauthorised access to RedMart’s cloud through a compromised staff member’s account.

The database contained the names, e-mail addresses, contact numbers, residential addresses and partial credit card details of 898,791 people. It was put up for sale on an online forum.

In its judgment, the Personal Data Protection Commission said the hacked database was protected by various levels of security controls such as access keys, but added that there were gaps in the systems. These include the failure to create separate authentication requirements for the hacked database.

RedMart also did not conduct periodic management reviews to ensure that access to the keys that guarded sensitive information was limited to only those who needed it, said the commission.

“This is a fundamental data security practice,” it said.

It added: “The complexity of the organisation’s network architecture does not paper over the cracks in its security arrangements – at every level of defence, the organisation’s systems presented clear vulnerabilities that should have been addressed.”

Following the incident, RedMart reset its system access keys and investigated its databases for traces left by the attacker. It also informed all affected individuals of the data leak via e-mail and issued a public statement.

It has since implemented two-factor authentication for systems that contain sensitive data and removed unnecessary accounts and permissions.

The Personal Data Protection Commission said there is no one-size-fits-all solution when it comes to protecting personal data, and that each organisation should consider security arrangements that are reasonable and appropriate.

“Given the high volume of personal data contained in the affected database, it was incumbent on (RedMart) to implement policies and practices that were commensurate with the organisation’s higher-level security needs,” said the commission.

In a separate report published on Monday, the commission said Thomson Medical had failed to secure the personal data of 44,679 visitors in late 2020.

While there was no evidence of a data leak, the information was stored on a platform that was accessible to the public.

The data included visitors’ names, NRIC details and contact numbers, and their answers to a health declaration questionnaire – information that was widely collected here at the height of the pandemic.

Personal health information is known to be valuable to hackers as the data from hospitals is more likely to be accurate. The data can be used to commit insurance fraud or make false financial claims.

Thomson Medical told the Personal Data Protection Commission that an in-house developer failed to change a default system setting that gave the public access to the database.

It has since removed the affected files and taken steps to secure the database, it said.

The commission issued directions on how to mitigate the issue instead of a financial penalty as there was no sign of a data leak.

Thomson Medical also had to submit a declaration that it had conducted a search for signs of a leak on the Internet and the Dark Web.