Grab fined $10k over fourth data privacy breach in two years

Ride-hailing operator Grab has been fined $10,000 for failing to secure its drivers' and passengers' personal details on its mobile app, the fourth time in two years that it has been found to have breached data protection laws.

According to a written decision by the Personal Data Protection Commission (PDPC) published last Thursday, a software update to Grab's ride-hailing app on Aug 30 last year exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.

The update was meant to fix a potential vulnerability detected by Grab by removing a variable from a link in the app's interface that allows GrabHitch drivers to access their data. But, without this variable, the app could no longer differentiate between drivers, and as a result provided the same data to all drivers for 10 seconds before new data could be retrieved.

The data exposed included profile pictures, passenger names, vehicle plate numbers as well as pick-up and drop-off locations and times.

Upon being notified of the incident, Grab rolled back the app to the version prior to the update and notified 5,651 GrabHitch drivers on the same day. It also notified the PDPC of the breach.

PDPC deputy commissioner Yeong Zee Kin noted that sufficiently robust processes were not put in place to manage changes to Grab's IT system, calling the breach "a particularly grave error", given that it was the second time Grab had made a mistake of this nature.

The company was fined $16,000 in June last year for disclosing the names and mobile phone numbers of 120,747 customers in marketing e-mails sent out to other customers.

Mr Yeong said: "In determining the directions, if any, to be imposed... I have also taken into consideration that this is the fourth time (Grab) has been found in breach of Section 24 of the Personal Data Protection Act.

"Given that (Grab's) business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern."

In June last year, no financial penalty was imposed on Grab for another incident involving the disclosure of personal data of some GrabHitch passengers by GrabHitch drivers without consent on social media.

In Oct 2018, Grab was fined $6,000 for failing to make reasonable security arrangements to prevent the unauthorised disclosure of GrabHitch drivers' personal data.


A Grab spokesman said yesterday: "The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them."

To prevent a recurrence, Grab has since introduced more robust processes in its IT environment testing, along with updated governance procedures and a review of legacy application and source codes, the spokesman added.

A version of this article appeared in the print edition of The Straits Times on September 15, 2020, with the headline 'Grab fined $10k over fourth data privacy breach in two years'. Subscribe