Grab fined $10,000 for fourth data privacy breach in S'pore in two years

A software update on Aug 30 last year inadvertently exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.
A software update on Aug 30 last year inadvertently exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.PHOTO: ST FILE

SINGAPORE - Ride-hailing operator Grab has been fined $10,000 for failing to secure its drivers' and passengers' personal details on its mobile app, the fourth time in two years that it has been found to have breached data protection laws.

According to a written decision by the Personal Data Protection Commission (PDPC) published on its website last Thursday (Sept 10), a software update to Grab's ride-hailing app on Aug 30 last year inadvertently exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.

The update was meant to fix a potential vulnerability detected by Grab by removing a variable from a link in the app's interface that allows GrabHitch drivers to access their data.

But it failed to take into account the fact that without this variable, the app could no longer differentiate between drivers and, as a result, provided the same data to all GrabHitch drivers for 10 seconds before new data could be retrieved.

The data exposed included profile pictures, passenger names and vehicle plate numbers, as well as pick-up and drop-off locations and times.

Upon being notified of the incident, Grab rolled back the app to the version prior to the update and notified 5,651 GrabHitch drivers on the same day. It also notified the PDPC of the breach.

In the written decision, PDPC deputy commissioner Yeong Zee Kin noted that sufficiently robust processes were not put in place to manage changes to Grab's information technology system, calling the breach "a particularly grave error" given that it was the second time Grab had made a mistake of this nature.

The company was fined $16,000 in June last year for disclosing the names and mobile phone numbers of 120,747 customers in marketing e-mails sent out to other customers.

"In determining the directions, if any, to be imposed... I have also taken into consideration that this is the fourth time (Grab) has been found in breach of Section 24 of the Personal Data Protection Act," Mr Yeong said.

"Given that (Grab's) business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern."

In June last year, no financial penalty was imposed on Grab for another incident involving the disclosure of personal data of some GrabHitch passengers by GrabHitch drivers without consent on social media.

 
 
 

In October 2018, Grab was fined $6,000 for failing to make reasonable security arrangements to prevent the unauthorised disclosure of GrabHitch drivers’ personal data.
 

“The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them,” a Grab spokesman said.

To prevent a recurrence, Grab has since introduced more robust processes in its IT environment testing, along with updated governance procedures and a review of legacy application and source codes, the spokesman added.

In separate decisions published on Sept 10, the Civil Service Club (CSC) and Singapore Red Cross were fined $20,000 and $5,000 respectively by the PDPC.

The CSC was fined for failing to put in place reasonable security arrangements to protect its members' personal data, as a Web directory containing members' profile photographs and their identification numbers was found to be publicly accessible.

The Singapore Red Cross was fined for inadequately protecting the personal data of donors in its database, and for retaining the personal data of some 900 individuals that it no longer needed for legal or business purposes.

The PDPC serves as Singapore's main authority in matters relating to personal data protection. The biggest fine it has imposed so far is the $1 million collective fine given to Integrated Health Information Systems and SingHealth in January 2019 for the 2018 hacking incident, when hackers broke into the SingHealth database and exposed the data of more than 1.5 million patients.