Personal data breach: Grab beefs up data protection

Grab Singapore said yesterday it takes data protection and users' privacy very seriously, pointing to steps taken after it detected the unauthorised disclosures by its ride-hailing firm GrabCar on Dec 17, 2017.

On Tuesday, GrabCar was fined $16,000 for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing e-mails.

Mr Tan Kiat How, the commissioner for the Personal Data Protection Commission (PDPC), recognised in his decision grounds that GrabCar took immediate action and changed its practices.

Grab reported the incident immediately to the PDPC when it was discovered, said a Grab spokesman.

She said the incident occurred from a mismatched database, leading to each affected customer's name and phone number being disclosed to one other person.

"To prevent a recurrence, we immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns," added the spokesman.

She stressed Grab's commitment to the Personal Data Protection Act (PDPA) and apologised for any anxiety caused.


A second report issued by the PDPC on the same day dealt with GrabHitch driver-partners.

Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for not having security arrangements for GrabHitch drivers to protect passenger data. GrabHitch matches a passenger with a driver willing to give the person a lift on the way to the driver's destination for a fee.

This case involved separate complaints by two passengers who used GrabHitch to book carpool rides provided by two different drivers on separate occasions.

The passengers complained that the drivers had posted their data without their consent on Facebook.

Mr Yeong held in a significant ruling that a GrabHitch driver is not an "organisation" under the PDPA, saying it is the firm that discloses the passengers' personal data to GrabHitch drivers in the company's chosen manner and for the purpose deemed acceptable by the firm.

GrabHitch drivers have no input into this collection and use of the personal data, said Mr Yeong.

He directed GrabCar to review and amend its policies and practices to provide detailed guidance for GrabHitch drivers on handling and protecting customer data.

Grab said it is reviewing the decision "as we believe there is a lack of clarity on the extent to which an organisation is responsible for educating private individuals offering services on a personal capacity, about personal data protection".

Grab said its code of conduct made clear to all GrabHitch driver-partners that "they are not to use personal data of their passengers for any other purpose, apart from fulfilling the ride booking".

To prevent the misuse of personal data by the GrabHitch community, Grab has introduced a number-masking feature on its GrabHitch service, the spokesman said.

A version of this article appeared in the print edition of The Straits Times on June 13, 2019, with the headline 'Personal data breach: Grab beefs up data protection'. Print Edition | Subscribe