A spokesman from e-commerce giant Lazada, which owns e-grocer Redmart, confirmed the data breach on Friday (Oct 30), saying that the personal information stolen included names, phone numbers, e-mail, mailing addresses, encrypted passwords and partial credit card numbers.
"Our cyber-security team discovered an individual claiming to be in possession of a RedMart customer database taken from a legacy RedMart system no longer in use by the company," the spokesman said.
The e-commerce giant said the stolen information was from a Redmart database that had not been updated for more than 18 months.
"This RedMart-only information is more than 18 months out of date and not linked to any Lazada database," the spokesman said, adding that the firm has taken action to block unauthorised access to the database.
Also in a notification e-mail sent to affected customers on Friday evening (Oct 30), Lazada said it discovered the security breach the day before (Oct 29) as part of its routine monitoring.
As a security measure, the firm has logged every customer out of their existing accounts. When customers log in, they will be asked to create a new password. Customers are also advised to change their passwords frequently.
Lazada also warned customers to be on the alert for phishing e-mails, where scammers ask for sensitive information while pretending to be from Lazada. "Lazada does not request customers to verify your personal information," it said in the e-mail notification.
Lazada is investigating the data breach, and has informed the Personal Data Protection Commission (PDPC) of the breach. A PDPC spokesman said the commission was aware of the incident and is currently investigating.
The Straits Times has reached out to Lazada for comment.