Lazada
On 29 October 2020, as part of its “proactive monitoring”, Lazada’s cybersecurity team discovered a data security incident in Singapore, involving a RedMart-only database hosted on a third-party service provider. The customer data hosted on this database is more than 18 months out of date as it was last updated in March 2019, according to a statement from Lazada.
The customer information that was illegally accessed include the names, phone numbers, emails, addresses, encrypted passwords and partial credit card numbers of RedMart customers. Lazada commented that it has taken immediate action to block unauthorised access to the database.
This data was used on the “previous RedMart app and website”, which are no longer in use. Lazada customer data in Southeast Asia is not affected by this incident, said the statement.
“Protecting the data and privacy of our users is of utmost importance to us. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities on this incident and remain committed to providing all necessary support to our users. We want to be transparent about this incident with all of our customers and reassure you that we are taking it seriously,” said the statement.
Eatigo
Meanwhile, according to a statement by Eatigo, it was made aware on 30th October 2020 that along with several other ecommerce platforms, it was the subject of a data security incident involving unauthorised access to its customer database that contained customers’ personal data.
Eatigo’s investigations indicate that the information that was illegally accessed was from more than 18 months ago and included customer names, email addresses and phone numbers. Existing Eatigo account passwords are protected by encryption and hence safe, according to the company. “We do not store credit card information on our system,” it said.
“Protecting your privacy and data is of utmost importance to us. We continue to review and enhance our security infrastructure and will collaborate with the relevant authorities on this matter. We are committed to taking all the steps necessary to minimize the risk of a similar incident occurring again in the future,” the company stated.
Eatigo has established a dedicated support team that customers can reach out to for support on this matter. The company has told its customers that they may continue to use its services as “business operations remain safe and unaffected”. However, as a precautionary measure, customers may wish to log into their Eatigo account and reset passwords, according to the statement.
It also warns its customers “to be alert to any spam emails requesting personal or sensitive information as well as any unusual activity in your account.”
Commentary
Ian Hall, Asia-Pacific Client Services Manager at Synopsys’ Software Integrity Group:
Data breaches and hacks are now extremely commonplace, so much so that that the general public is becoming somewhat immune to them. Just take a look at the list of enforcement decisions on the PDPC website. It’s likely that only a few of them even ring a bell since many didn’t receive widespread media coverage. The cases for Eatigo and especially Lazada (specifically RedMart) are relatively large and consumers and organisations alike should definitely take note.
With the ongoing pandemic, there has undoubtedly been a large up-tick in users for the Lazada platform. Fortunately, the database that was compromised was a legacy system and includes only users from March 2019. However, I would suspect that the majority of those users still have the same password in place and the same credit card details on file.
For those customers that are worried, it’s a positive sign that Lazada has reacted swiftly and is being transparent about the breach. They also appear to have identified the breach themselves via regular monitoring pointing to good internal security practices.
From a consumer’s point of view, now would be a good time to reinforce cyber hygiene activities such as changing your account passwords and not re-using them for more than one account. Additionally, only provide the minimum amount of personal information that is required. If it seems strange that an organisation is asking for a particular piece of information, think twice — be wary of scam emails.
From the organisation’s point of view, a question should be asked about why a legacy database from more than a year ago was accessible over the internet. Using legacy code that has known vulnerabilities or hosting a legacy database that may not be patched with the same regularity as the production database provides a forgotten door for attackers to take advantage of.
Looking back at breaches in Singapore over the past couple of years, many breaches are based on weaknesses due to forgotten systems such as temporary firewall rules not being removed, anti-virus not being updated, legacy code with a defect not being fixed, and for these recent cases, legacy databases being left accessible. I’m sure the review has already started for Lazada and Eatigo – as they should have – but others should learn from this and take pro-active reviews to ensure that legacy databases remain patched.
Stephan Neumeier, Managing Director for Asia Pacific at Kaspersky:
As we increase our reliance on online shopping, e-commerce and booking platforms will continue to be a prime target for hackers as they often contain a wealth of customer’s data. While it is unfortunate that both incidents occurred so close to each other, the key takeaway from this is that cybercriminals do not look at auspicious timings before acting – the moment they detect any vulnerabilities in your system, they will take immediate action to exploit it.
With a single data breach costing over $1 million on average for businesses in Southeast Asia, businesses stand to lose an additional $186 million on business opportunities in the aftermath of a data breach. While it is heartening that our Global Corporate IT Security Risks Survey found that 84% of Southeast Asian businesses surveyed have made plans to increase their budget in IT security, there remain significant gaps when it comes to IT infrastructure hosted by third parties, as well as challenges pertaining to the migration of more advanced and complex technology environments.
In these two examples, endpoint security solutions and employing a proper IT migration protocol would have helped the two businesses minimise the occurrence of data breaches. For example, endpoint security solutions are often understood as the first layer of defence, and they can help prevent unauthorised access into your IT system. On another note, businesses should also not get too carried away by the process of digitalisation – constant upgrades and shifts to new operating systems may result in added efficiencies and greater convenience to your business operations and customers – but the new systems need to be properly integrated with your existing ones, or there must be policies in place to ensure that data is no longer stored on your legacy infrastructure.
With the increased online activities come the stealthier moves being done by cybercriminals. This is why companies and individuals should be on their highest alert during this time. We should aim to inculcate a sense of responsibility on how users will handle their personal and corporate data inside their home networks. Likewise, companies should beef up their defences to keep their corporate and customers’ data safe.
A data breach can have a devastating effect on an organization’s reputation and financial bottom line. This is the applicable to all sectors, including e-commerce. Below are some of the best practices to fend off one:
- Employ training and activities which will educate employees about cybersecurity basics, for example, to not open or store files from unknown emails or websites as they could be harmful to the whole company.
- Regularly remind staff how to deal with sensitive data, for example, to store only in trusted cloud services with authentication switched on, do not share it with untrusted third parties.
- Enforce use of legitimate software, downloaded from official sources.
- Make backups of essential data and regularly update IT equipment and applications to avoid unpatched vulnerabilities that can become a reason of a breach.
- Use a dedicated endpoint product that demands minimum management allowing employees to do their main job but protects from malware, ransomware, account takeover, online fraud and scams.
For major e-commerce companies handling millions of data, we suggest:
- Provide your Security Operations Center (SOC) team with access to the latest threat intelligence, and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
- For endpoint level detection, investigation and timely remediation of incidents, implement EDR solutions.
- In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats at the network level at an early stage.
Chief security officer of IntSights Etay Maor:
Cyber criminals make their money in different ways – some through targeting individuals using different scams, others utilize ransomware while some access databases and sell them in underground forums.
Cyber crime underground forums and markets are filled with stolen databases that are offered as a direct sale or via an auction. These databases are similar in format and data types to the Lazada/RedMart database which was recently discovered. While companies need to make best efforts to prevent, detect and mitigate such breaches, consumers should be aware that there is no silver bullet to stop cyber criminals. This incident shows that they should keep to basic cyber hygiene best practices: NEVER reuse the same password on multiple websites, if there is an option to opt in to two factor authentication – do so. Keep track of your credit card statements and watch out for purchases you did not make. Always update and patch your systems with the latest operating system and security updates.