That Lazada’s online grocery platform RedMart has suffered a serious data breach this week should come as no surprise, especially since it has made several public missteps after folding the app into its own e-commerce app more than a year ago. The security oversight underscores the importance of putting in place a proper integration strategy when companies merge and one that should continue to be reviewed even after the transition is complete.
News broke late-Friday that the data of 1.1 million RedMart accounts had been compromised, after an individual claimed to have access to a database containing their personal information including names, mailing addresses, email addresses, phone numbers, encrypted passwords, and partial credit card numbers.
Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More
Lazada, which acquired RedMart in November 2016, sent a note Friday to affected customers informing them of a “RedMart data security incident” that it said was uncovered the day before, on October 29, as part of “regular proactive monitoring” carried out by the company’s cybersecurity team. RedMart customers were automatically logged out of their accounts and prompted to reset their passwords before relogging in.
In its note, Lazada said the breach led to unauthorised access to a “RedMart-only database” that was hosted on a third-party service provider and had contained “out of date” customer data that was last updated on March 2019. It added that “immediate action” was taken to block the illegal access and that Lazada’s own customer data was not affected by the breach.
The Southeast Asian e-commerce operator in January 2019 announced plans to integrate the RedMart app into its platform, more than two years after it acquired RedMart. Lazada itself was acquired by Chinese e-commerce giant Alibaba in April 2016. RedMart accounts were formally integrated on March 15, 2019 — the same month the compromised database was last updated.
The move had drawn sharp criticism from former RedMart customers in Singapore, who were promised the “same shopping experience — from browsing to ordering” on the integrated platform, but found this to be far from the truth when March 15 rolled over.
Once beloved for its streamlined and clean users interface, the integrated RedMart experience was described by customers as cluttered, difficult navigate, and missing several popular features such as the ability to update a scheduled order and access to a favourite items list.
Today, more than a year after the transition, user experience for RedMart — which currently has its own section on Lazada — remains inconsistent across its mobile and online platforms. While functions on its mobile app are largely functional, the least can be said for its online experience. RedMart customers on the Lazada website will hit a stalled page when they attempt to retrieve their favourite items list, and adding items to their cart will lead to a “network error” or an error page.
Clearly, some things have slipped through the cracks since the merger and a security breach was a matter of “when”, not “if”.
Questions remain about Lazada’s security hygiene
That the database was outdated is irrelevant; the data it contained isn’t exactly transient in nature. I haven’t changed my mobile number in at least 20 years and how many actually move homes in under two years?
That it was a “RedMart-only” database also is little consolation. RedMart customers’ login credentials were moved along with the integration and their passwords are used to log into the Lazada platform before they can access the RedMart section. So, why that still means their Lazada data is “not affected” needs further explanation.
That the database was hosted on a “third-party service provider” is moot. Your customer data, your database, your responsibility. If it was last updated 18 months ago, then the system should have been retired and taken offline, away from the preying hands of hackers.
If it was left online for operational reasons, then policies and procedures should have been put in place to ensure the database remained updated, regularly checked for any potential vulnerabilities, and security patches promptly deployed.
And there are many questions that still need to be answered.
Was the breach actually discovered during a “regular proactive monitoring” or was it identified only after the hacker or hackers publicly declared they were in possession of the database and had put up the details for sale?
Was Lazada’s cybersecurity team aware the second the database was breached, and not only when the hackers announced they had access to the data? When exactly did the breach occur? How long had the hackers been lurking in stealth mode? What else could they have breached?
With 1.1 million accounts compromised, Lazada not only faces a potentially stiff penalty from the relevant Singapore authorities, its reputation has taken a significant hit. Customers have taken to its social media profiles with questions about their data security and to decry the platform’s lack of security, including the absence of basic features such as two-factor authentication.
These are issues Lazada could very well have avoided if it had put in place, from day one, a proper integration plan. One that could have helped ensure customers knew what to expect, that user experience remained consistent, and features were at the very least functional.
A proper transition strategy also would identify systems that should be kept operational, and how they should be properly maintained, as well as pave out a timeline for those that were no longer needed and how these should be taken out of commission.
Now in damage control, it remains to be seen how Lazada will move to repair its brand. One thing’s for sure, with the missteps it has made — and continues to make — more “security incidents” may be on the way if Lazada doesn’t clean up its act, and quickly.