GrabCar fined S$10,000 for risking the personal data of over 20,000 drivers and passengers

Grab app

Last year, GrabCar informed the Personal Data Protection Commission (PDPC) that profile data of 5,651 GrabHitch drivers were exposed to the risk of unauthorized access by other GrabHitch drivers through its app.

According to PDPC deputy commissioner Yeong Zee Kin, the cause of the breach was due to an app update on Aug 30, 2019. “The purpose of the update was to address a potential vulnerability discovered within the Grab app,” he said.

Risking the personal data of over 20,000 drivers and passengers

On Sep 10, the PDPC stated that the update risked the personal data of 21,541 drivers and passengers of GrabHitch. This includes profile pictures, names, and vehicle plate numbers.

But GrabCar managed to roll back the app to the previous version within about 40 minutes. They also took other corrective actions.

“Given that the organization’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern,” PDPC said.

The technical details & insufficient robust processes

As per the PDPC’s findings, the app’s programming interface URL which allowed drivers to access their data had contained a “userID” portion. Manipulation to that particular portion could possibly allow access to other drivers’ data.

Mr Yeong said GrabCar had insufficient robust processes to manage changes to its IT system. As a result, putting personal data it was processing at risk.

“This was a particularly grave error given that this is the second time the (GrabCar) is making a similar mistake, albeit with respect to a different system,” he added.

Not the first time with a similar mistake in 2019

In 2019, GrabCar was fined S$16,000 after it sent out more than 120,000 marketing emails to customers containing the name and mobile phone number of another customer.

Grab explained that the incident was due to a mismatched database. Thus, each affected customer’s name and phone number was disclosed to one other individual.

The Grab spokesperson then said that to prevent a recurrence, they had immediately put in place more rigorous data validation and checks. This includes new processes that require a third person to perform sanity checks on data. They also promised to mask phone numbers in all their marketing campaigns.

Grab’s response this time around

To prevent this incident from happening again, Grab claims to have introduced more robust processes. This is especially so to their IT environment testing alongside updated governance procedures. They are also working on an architecture review of their legacy application and source codes.

Read More...