New ride-hailing firm FastGo apologises after accidentally revealing e-mail addresses of 300 drivers

FastGo's gaffe could be a breach of the Personal Data Protection Act.
FastGo's gaffe could be a breach of the Personal Data Protection Act. PHOTO: LIANHE WANBAO

SINGAPORE - The latest entrant in the ride-hailing market has apologised after accidentally revealing the personal e-mail address of about 300 drivers.

Vietnamese start-up FastGo, which started driver registration on Monday (April 1), sent an e-mail on Friday to interested drivers requesting documents to complete their sign-up.

But it copied the e-mail addresses in the "To" field when sending out the request so the contacts were visible to all recipients.

The firm should have used the BCC option - blind carbon copy - to conceal the e-mail addresses of other recipients.

FastGo Singapore country manager Diep Nguyen told The Straits Times: "The FastGo team is really sorry about the issue and we hope that our driver-partners will continue supporting us in the future.

"We seriously think it is an important lesson to learn about the issue ... we promise no more mistakes will happen again."

About 300 of the 1,000 or so drivers who had signed up with FastGo were affected, Ms Nguyen added.


According to a copy of the e-mail uploaded on Facebook by netizen Stanley Raymond Oh, the FastGo e-mail had requested nine sets of documents, including identity cards, driving licences and bank statements.

The e-mail addresses of the recipients were partially censored in the post put online.

Lawyer Lionel Tan, a partner at law firm Rajah & Tann who specialises in data protection laws, said the gaffe could be a breach of the Personal Data Protection Act.

"There are a lot of seemingly personal e-mails in the list, so it is a likely breach unless all recipients have consented that they don't mind their e-mail addresses being circulated," he said.

"If it is a breach, the Personal Data Protection Commission would look into the matter and see ... whether the organisation has proper procedures in place and whether they had educated staff on how to properly handle data."

Financial penalties could be imposed.

A similar case occurred last August when mobilityX, a start-up that received seed funding from SMRT, sent out a mass e-mail that accidentally revealed the personal addresses of its 500 users.