First hacked in December 2017, Chinese e-commerce giant, Gearbest’s website has once again been breached.

This time, more than 1.5 million data, which includes user names, date of birth, account passwords, payment information, IP addresses, national identification and passport details were all exposed.

Commenting on the breach, Tim Mackey, Technology Evangelist at Synopsys, Inc, said:

“Today, organisations simply cannot afford to neglect the security of their applications, especially in industries like retail and banking where processing and storing payment card and financial data is standard operations. In the latest mega-breach uncovered by VPNMentor, Gearbest has demonstrated that even the most obvious cyberattack targets can fail to maintain basic security hygiene.”

Headquartered in Shenzhen, China, Gearbest’s e-commerce platform offers more than 5,000 products from major Chinese companies such as Huawei, Xiaomi, DJI, Lenovo, etc.

Following the incident, Tim shared some tips on how service providers can prevent similar incidences from happening.

1. Follow OWASP guidelines and ensure all systems are properly secured (OWASP stands for Open Web Application Security Project, a global non-profit charity aiming to improve software security)
2. Review privacy regulations not only for your jurisdiction but also where your customers and users reside
3. Do not collect or retain any information which doesn’t serve a clear purpose for your customers and users
4. Ensure that any system which shouldn’t be accessible from the Internet can’t be
5. Implement a security and incident response process which is responsive to issues the ethical hacking community uncovers

One question still lingers in our mind, why does Gearbest require national identification and passport details?

For the full report on the Gearbest hack, click here.