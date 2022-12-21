SINGAPORE - Grocery delivery service RedMart has been fined $72,000 after the Personal Data Protection Commission found that the personal data of nearly 900,000 people were stolen from its database in 2020 and put up for sale online.

The information stolen included names, encrypted passwords, phone numbers and partial credit card numbers, said the commission in a report on Monday.

The commission also said that day that in a separate incident in 2020, the personal data of visitors of Thomson Medical was accessible to the public on an open platform. The healthcare provider was ordered to scan the Web for any signs and to take steps to secure its data.

On the RedMart case, the commission said it investigated the matter after it was notified on Oct 29, 2020, that the personal data of RedMart customers was being sold online.

The commission said RedMart was in the midst of integrating its platform with Lazada’s online platform after being acquired by the e-commerce giant in 2016.

RedMart’s consumer website and mobile app were closed to the public in March 2019, but behind the scenes, the shift to Lazada’s system was still under way, with a deadline set for March 2021.

The personal data of RedMart’s customers and sellers that was stored on RedMart’s systems was not encrypted and did not have any password authentication requirement for access, said the Personal Data Protection Commission.

In September 2020, an unidentified attacker hacked into RedMart’s database after gaining unauthorised access to RedMart’s cloud through a compromised staff member’s account.

The database contained the name, e-mail address, contact number, residential address and partial credit card details of 898,791 people. It was put up for sale on an online forum.

In its judgment, the Personal Data Protection Commission said the hacked database was protected by various levels of security controls such as access keys, but added that there were gaps in its systems. These include the failure to create separate authentication requirements for the hacked database.

RedMart also did not conduct periodic management reviews to ensure that access to the keys that guarded sensitive information was limited to only those who need it. “This is a fundamental data security practice,” said the commission.

It added: “The complexity of the organisation’s network architecture does not paper over the cracks in its security arrangements – at every level of defence, the organisation’s systems presented clear vulnerabilities that should have been addressed.”

Following the incident, RedMart reset its system access keys and investigated its databases for traces left by the attacker. They also informed all affected individuals of the data leak via e-mail and issued a public statement.

They have since implemented two-factor authentication for systems that contain sensitive data and removed unnecessary accounts and permissions.

The commission said that there is no one-size-fits-all solution when it comes to protecting personal data, but that each organisation should consider security arrangements that are reasonable and appropriate.