RedMart data breach a reminder of danger of forgotten pieces of data

In the latest high-profile hacking case in Singapore this week, it is significant that customer data stolen from RedMart, a popular online grocery store, is said to be “out of date” and from a “legacy” system no longer in use.

Perhaps in trying to downplay the situation, the parent company Lazada has revealed one common vulnerability facing many businesses today – the forgotten pieces of data that they often do not discard as they upgrade to new systems.

With more businesses seeking to revamp their older systems or digitalise their operations, it is difficult to keep track of all the data and systems that hold it over time.

Many bigger companies try to keep an inventory of what they are running, but this is an ongoing challenge simply because more systems are spun up – and down – all the time, especially when corporate users have easy access to cloud services.

When Sony Pictures got hacked in the first of many high-profile incidents in 2014, it was revealed that the company did not even know of the servers that had initially been infiltrated by the cyber attackers.

In the SingHealth attack in Singapore in 2018, which exposed 1.5 million people’s personal data, the hackers had made use of a database system that was meant to be decommissioned but was kept online despite a migration to a new system.

Now, the RedMart data breach is yet another reminder of the dangers of “loose pieces” of data or supposedly disconnected servers that have been forgotten over time.

It is still unclear if the names, phone numbers and partial credit card numbers of some 1.1 million RedMart accounts, put up on sale by a hacker this week, are still accurate.

Lazada says they are 18 months out of date. Still, you don’t change your e-mail address, phone number or credit card every 18 months, so it won’t be a surprise if some users now have their personal data exposed.

Rightly, they will ask if Lazada could have done more to protect their data. Unfortunately, though, this is another sobering lesson on the inherent risk of sharing personal information online for easier, smoother transactions.

And there will be many such data fragments, as people transact over time, which will invariably increase the chances of their personal information being exposed.

The alternative is to head to a retail shop personally, pay with good old cash and lug the groceries home, but that’s not on for most people who have got used to online shopping, especially with the safe distancing forced by the pandemic. That ship has sailed.

For customers, it’s a matter of choosing a retailer they can trust – there are also Amazon and NTUC, for example – and looking to the government regulator to make Lazada take stronger measures to keep its data from being stolen in future.