Grab Fined SG$10,000 for Fourth Personal Data Protection Breach in Two Years

This is also the second time that Grab has been found in violation of the same section under Singapore’s Personal Data Protection Act 2012

Singapore-based unicorn and superapp Grab has been fined SG$10,000 (US$7346.7) for violation of the country’s data protections laws according to a circular by Singapore’s Personal Data Protection Commission, undersigned by the Deputy Commissioner for Personal Data Protection Yeong Zee Kin.

The incident took place due to a GrabHitch API endpoint glitch which the company attempted to rectify with an update, the circular dated 21 July 2020 said. The circular was published late last week.

However, the update resulted in the exposure of the data of GrabHitch drivers, including profile pictures, passenger names, vehicle plate numbers and wallet balance (including ride payment history), to possible unauthorized access.

Moreover, apart from personal data, booking data including addresses, pickup and drop-off times, total rides, and vehicle model and make was also exposed to unauthorized access.

While initial investigations by Grab indicated that the data of 5,651 GrabHitch drivers had been affected, it was eventually discovered that the data of 21,541 such drivers and passengers as well had been exposed, the circular noted.

The circular further said that Grab’s investigations indicated that the data had not been exploited.

It explained that Grab made the update without either understanding its larger implications to the company’s IT infrastructure, including its caching mechanism.

The bug that the company was attempting to fix was with the API endpoint ‘/users/{userID}/profile’, which when manipulated, could give access to GrabHitch driver data.

To fix this, the company’s update removed the variable ‘userID’. In doing so, all URLs in the Grab app reflected ‘/users/profile’ and consequently, the app’s caching mechanism was unable to differentiate between driver accounts thereby giving access to personal and booking data to all drivers on the app in 10 second intervals.

Grab admitted to not conducting tests to simulate multiple user access on its app or to verify how its caching mechanism would respond to the update, the circular noted.

Yeong found Grab in violation of Section 24 (Protection of Personal Data) of Singapore’s Personal Data Protection Act 2012.

Section 24 directs organizations to protect personal data that it possesses or controls through ‘reasonable security reasonable security arrangements to prevent unauthorizzed access, collection, use, disclosure, copying, modification, disposal or similar risks’.

Yeong imposed a fine of SG$10,000 on the company and gave it 120 days to implement a “data protection by design policy” for its app.

The circular, however, took note of the fact that Grab was cooperative and responsive with the investigation.

It added that on being notified about the bug, the company rolled back the update within about 40 minutes, informed the initially detected 5,651 GrabHitch drivers on the same day, and increased the minimum “cash out” wallet amount to SG$200,000 in order to prevent unauthorized transfers.

Further, apart from deploying a new update within a month, on 10 September 2019, the company also reviewed its testing procedures, adding automated testing for API endpoints that pertained to personal data.

It also updated relevant governance procedures on deployment and security verification for IT changes, and reviewed its legacy applications and codes as remedial measures as well.

The notice observed that this is the second time that Grab “did not put in place sufficiently robust processes to manage changes to its IT system that may put the personal data it was processing at risk.”

This is also the fourth time that Grab has been found in breach of Section 24, the circular noted.

The watchdog had earlier fined GrabCar SG$16,000 in June last year for 120,000 marketing emails containing the names and phone numbers of customers that were sent out. The company also faced another incident where personal data of GrabHitch passengers was disclosed on social media by GrabHitch drivers without consent. No fines were imposed, however.

Previously, in October 2018, Grab was also fined SG$6000 for inadequate security to prevent unauthorized disclosure of the personal data of GrabHitch drivers.

SHARE THIS STORY

Share on facebook
Share on twitter
Share on linkedin
Share on email

RELATED POSTS

Shrinkflation

What Is “Shrinkflation” and Why Opting For It Isn’t Companies’ Only Choice

You might have noticed grocery prices are soaring, or your usual go-to pack of chips is shrinking in size—all thanks to massive inflation. As of August 2022, the U.S. consumer price index (CPI), which measures the change in consumer prices for a specific set of goods over a period, has increased by 8.3% (year-on-year). Although it has gone down slightly from 8.6% in May, the highest it has ever been since 1981, it remains high and worrying.

Top 3 Affordable and Little-Known Smartphones to Bring Home in 2022

Top 3 Affordable and Little-Known Smartphones to Bring Home in 2022

Apple has remained at the center of the smartphone industry for years. The sleek, striking design, ever-improving chip and robust camera system of the iPhone have made it one of the most sought-after smartphones in the world. This month, Apple cemented and extended its lead in the industry by putting forward the next generation of iPhones.

5 More Business Podcasts You Need to Listen To

5 More Business Podcasts You Need to Listen To

Entrepreneurs have one thing in common—they always look for opportunities to learn and grow. To gain an understanding of running a viable business, you need to listen to the experiences of those who have emerged triumphant in the business world. A great way to do so is by tuning into a vast number of business and entrepreneurship podcasts scattered across the internet today.

5 Hobbies To Maximize Your Entrepreneurial Drive

5 Hobbies To Maximize Your Entrepreneurial Drive

Entrepreneurs are a special breed of person. They’re go-getters, risk-takers and dreamers. Yet, even the most driven entrepreneur needs to take a break from time to time. Spending every second of your day on your business is stressful, and you will lose your drive very soon. If you want to stay energetic and ready to take on new challenges at work, hobbies are what you need.

Making the Metaverse a Force for Good with the Metaverse Charity Foundation

Making the Metaverse a Force for Good with the Metaverse Charity Foundation

If you are a frequent reader of our website, you must have seen us mention The Sandbox, Decentraland and Axie Infinity. These are some of the most popular metaverses out there, and the one thing they all have in common is that they all have their origins in Asia. While Asia is home to all these metaverse projects, it suffers two main issues: the region has major rural-urban inequality as well as a significant wage difference between high-skilled and low-skilled occupations.

How Do Stores Get You to Spend More Money

How Do Stores Get You to Spend More Money?

Have you ever entered a grocery store to buy some milk but ended up with a bag full of items you didn’t even need? You’re not alone if you feel guilty for spending more money than you intended. It’s not our fault that we keep putting items in our shopping carts; we are manipulated to do so! To make sure you buy more, retailers will go all the way to carefully engineer every aspect of their store.