Grab Fined SG$10,000 for Fourth Personal Data Protection Breach in Two Years

This is also the second time that Grab has been found in violation of the same section under Singapore’s Personal Data Protection Act 2012

Singapore-based unicorn and superapp Grab has been fined SG$10,000 (US$7346.7) for violation of the country’s data protections laws according to a circular by Singapore’s Personal Data Protection Commission, undersigned by the Deputy Commissioner for Personal Data Protection Yeong Zee Kin.

The incident took place due to a GrabHitch API endpoint glitch which the company attempted to rectify with an update, the circular dated 21 July 2020 said. The circular was published late last week.

However, the update resulted in the exposure of the data of GrabHitch drivers, including profile pictures, passenger names, vehicle plate numbers and wallet balance (including ride payment history), to possible unauthorized access.

Moreover, apart from personal data, booking data including addresses, pickup and drop-off times, total rides, and vehicle model and make was also exposed to unauthorized access.

While initial investigations by Grab indicated that the data of 5,651 GrabHitch drivers had been affected, it was eventually discovered that the data of 21,541 such drivers and passengers as well had been exposed, the circular noted.

The circular further said that Grab’s investigations indicated that the data had not been exploited.

It explained that Grab made the update without either understanding its larger implications to the company’s IT infrastructure, including its caching mechanism.

The bug that the company was attempting to fix was with the API endpoint ‘/users/{userID}/profile’, which when manipulated, could give access to GrabHitch driver data.

To fix this, the company’s update removed the variable ‘userID’. In doing so, all URLs in the Grab app reflected ‘/users/profile’ and consequently, the app’s caching mechanism was unable to differentiate between driver accounts thereby giving access to personal and booking data to all drivers on the app in 10 second intervals.

Grab admitted to not conducting tests to simulate multiple user access on its app or to verify how its caching mechanism would respond to the update, the circular noted.

Yeong found Grab in violation of Section 24 (Protection of Personal Data) of Singapore’s Personal Data Protection Act 2012.

Section 24 directs organizations to protect personal data that it possesses or controls through ‘reasonable security reasonable security arrangements to prevent unauthorizzed access, collection, use, disclosure, copying, modification, disposal or similar risks’.

Yeong imposed a fine of SG$10,000 on the company and gave it 120 days to implement a “data protection by design policy” for its app.

The circular, however, took note of the fact that Grab was cooperative and responsive with the investigation.

It added that on being notified about the bug, the company rolled back the update within about 40 minutes, informed the initially detected 5,651 GrabHitch drivers on the same day, and increased the minimum “cash out” wallet amount to SG$200,000 in order to prevent unauthorized transfers.

Further, apart from deploying a new update within a month, on 10 September 2019, the company also reviewed its testing procedures, adding automated testing for API endpoints that pertained to personal data.

It also updated relevant governance procedures on deployment and security verification for IT changes, and reviewed its legacy applications and codes as remedial measures as well.

The notice observed that this is the second time that Grab “did not put in place sufficiently robust processes to manage changes to its IT system that may put the personal data it was processing at risk.”

This is also the fourth time that Grab has been found in breach of Section 24, the circular noted.

The watchdog had earlier fined GrabCar SG$16,000 in June last year for 120,000 marketing emails containing the names and phone numbers of customers that were sent out. The company also faced another incident where personal data of GrabHitch passengers was disclosed on social media by GrabHitch drivers without consent. No fines were imposed, however.

Previously, in October 2018, Grab was also fined SG$6000 for inadequate security to prevent unauthorized disclosure of the personal data of GrabHitch drivers.

SHARE THIS STORY