It has been reported that Lazada, one of the top e-commerce sites in South east Asia has suffered a serious data breach. 1.1 million RedMart accounts was stolen from e-commerce platform Lazada and sold online in a data breach. RedMart is a popular grocery shopping site in Singapore and was acquired by Lazada in 2016 and moved to the Lazada platform in 2019.
In addition, reports have surfaced that personal data from 2.8 million Eatigo accounts also stolen and put up for sale online, including 400,000 accounts belonging to users in Singapore. The online restaurant reservation platform said that the information stolen was from more than 18 months ago and included names, e-mail addresses and phone numbers. This came just 1 day after the Lazada breach, and both sets of information were put for sale on the same website.
Data retention and archival processes should be part of any digital privacy and cybersecurity plan. While it’s reasonable to presume that attackers prefer to access current transaction information, there is always value to be found in looking at older data. This is one reason why Section 25 of PDPA exists.
Businesses should look at all retained data as contributing to business risk, with personal data having some of the highest risk. So while it might be tempting to look at historical data as valuable for data mining and profiling activities, careful attention should be paid to the type of data used in such analysis. For example, should data archives have a copy of user passwords – even if the password is encrypted? Has the anonymisation process been reviewed to ensure the remaining data can’t be combined with third-party data sources to reconstruct the original data? Combining data from multiple sources is an example of something that cybercriminals might do to increase the value of the data they steal.
What can ordinary people do? Consumers do not have much individual power. We would like to strongly encourage companies to be scrupulously careful about their cybersecurity, to safeguard your information as carefully as you do. In the absence of collective action, or strong legislation, consumers are mostly on their own.
The best you can do is recognise this reality and take steps to protect yourself. Given the sheer number and volume of data breaches, every consumer should assume that at least some of his or her personal information is available to cyber criminals. With this in mind, be highly skeptical of unsolicited emails or phone calls, even when the caller seems to know information that only a legitimate organisation would know.
Never, ever provide passwords, government identification numbers, account numbers, or other sensitive information in response to unsolicited communications.
Ask to call back anyone asking for such information. Independently verify that the request is valid.
Use two-factor authentication for any sensitive services. This minimises the risk of an attacker using your stolen credentials in a credential-stuffing attack.