GrabCar fined $16,000 for personal data breaches

On Dec 17, 2017, GrabCar sent 120,747 marketing e-mails to customers that contained the name and mobile number of another customer.
On Dec 17, 2017, GrabCar sent 120,747 marketing e-mails to customers that contained the name and mobile number of another customer. ST FILE PHOTO
K.C. Vijayan
Senior Law Correspondent
Updated
Jun 12, 2019, 07:29 AM
Published
Jun 12, 2019, 05:00 AM

Ride-hailing firm GrabCar has been fined $16,000 for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing e-mails.

The 2017 incident arose from an e-mail mismatch, where the affected customer's data was disclosed to only one other individual in each case.

Mr Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said yesterday that GrabCar took immediate action and made changes to its practices.

These changes included requiring "a third person to perform sanity checks of the data before triggering any new campaigns" as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans.

GrabCar is part of the Grab group, which offers services such as food delivery and payments on its mobile platform, in addition to ride hailing.

On Dec 17, 2017, GrabCar sent 399,751 marketing e-mails to a targeted group of customers, but 120,747 of these contained the name and mobile number of another customer.

The e-mail was sent to User A as intended but User B's name and phone number were reflected in the e-mail as that of the intended recipient.

More On This Topic
Firm fined $4k for leak of personal data of over 400 servicemen
Law firm fined $8,000 for data protection breaches
Chan Brothers Travel under investigation by privacy watchdog after personal data found to be insecure
Organisations may receive lower financial penalties if they admit role in data breaches: Privacy watchdog

GrabCar found that the incident was caused by the erroneous assemblage of customer information from different database tables.

Although 399,751 marketing e-mails were generated, only customers who had verified their e-mail addresses received the mismatched e-mails.

Mr Tan said GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data.

He added that GrabCar "did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk".

Mr Tan took into account GrabCar's prompt and voluntary notification of the incident and its practice of accountability when imposing the $16,000 penalty.

In a separate case, Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for failing to install security arrangements for GrabHitch drivers to protect passenger data.

GrabHitch matches a passenger with a driver who, for a fee, is willing to give the person a lift on the way to the driver's destination.

This case involved separate complaints by two passengers who used GrabHitch to book carpool rides that were provided by two different drivers on separate occasions.

Mr Yeong ordered GrabCar to review and amend its practices to provide detailed guidance for GrabHitch drivers on the handling and protection of customer data.

He ruled that a financial penalty was not warranted as only two individuals were directly affected.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on June 12, 2019, with the headline GrabCar fined $16,000 for personal data breaches. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top