Grab Fined SG$10,000 for Fourth Personal Data Protection Breach in Two Years

This is also the second time that Grab has been found in violation of the same section under Singapore’s Personal Data Protection Act 2012

Singapore-based unicorn and superapp Grab has been fined SG$10,000 (US$7346.7) for violation of the country’s data protections laws according to a circular by Singapore’s Personal Data Protection Commission, undersigned by the Deputy Commissioner for Personal Data Protection Yeong Zee Kin.

The incident took place due to a GrabHitch API endpoint glitch which the company attempted to rectify with an update, the circular dated 21 July 2020 said. The circular was published late last week.

However, the update resulted in the exposure of the data of GrabHitch drivers, including profile pictures, passenger names, vehicle plate numbers and wallet balance (including ride payment history), to possible unauthorized access.

Moreover, apart from personal data, booking data including addresses, pickup and drop-off times, total rides, and vehicle model and make was also exposed to unauthorized access.

While initial investigations by Grab indicated that the data of 5,651 GrabHitch drivers had been affected, it was eventually discovered that the data of 21,541 such drivers and passengers as well had been exposed, the circular noted.

The circular further said that Grab’s investigations indicated that the data had not been exploited.

It explained that Grab made the update without either understanding its larger implications to the company’s IT infrastructure, including its caching mechanism.

The bug that the company was attempting to fix was with the API endpoint ‘/users/{userID}/profile’, which when manipulated, could give access to GrabHitch driver data.

To fix this, the company’s update removed the variable ‘userID’. In doing so, all URLs in the Grab app reflected ‘/users/profile’ and consequently, the app’s caching mechanism was unable to differentiate between driver accounts thereby giving access to personal and booking data to all drivers on the app in 10 second intervals.

Grab admitted to not conducting tests to simulate multiple user access on its app or to verify how its caching mechanism would respond to the update, the circular noted.

Yeong found Grab in violation of Section 24 (Protection of Personal Data) of Singapore’s Personal Data Protection Act 2012.

Section 24 directs organizations to protect personal data that it possesses or controls through ‘reasonable security reasonable security arrangements to prevent unauthorizzed access, collection, use, disclosure, copying, modification, disposal or similar risks’.

Yeong imposed a fine of SG$10,000 on the company and gave it 120 days to implement a “data protection by design policy” for its app.

The circular, however, took note of the fact that Grab was cooperative and responsive with the investigation.

It added that on being notified about the bug, the company rolled back the update within about 40 minutes, informed the initially detected 5,651 GrabHitch drivers on the same day, and increased the minimum “cash out” wallet amount to SG$200,000 in order to prevent unauthorized transfers.

Further, apart from deploying a new update within a month, on 10 September 2019, the company also reviewed its testing procedures, adding automated testing for API endpoints that pertained to personal data.

It also updated relevant governance procedures on deployment and security verification for IT changes, and reviewed its legacy applications and codes as remedial measures as well.

The notice observed that this is the second time that Grab “did not put in place sufficiently robust processes to manage changes to its IT system that may put the personal data it was processing at risk.”

This is also the fourth time that Grab has been found in breach of Section 24, the circular noted.

The watchdog had earlier fined GrabCar SG$16,000 in June last year for 120,000 marketing emails containing the names and phone numbers of customers that were sent out. The company also faced another incident where personal data of GrabHitch passengers was disclosed on social media by GrabHitch drivers without consent. No fines were imposed, however.

Previously, in October 2018, Grab was also fined SG$6000 for inadequate security to prevent unauthorized disclosure of the personal data of GrabHitch drivers.

SHARE THIS STORY

Share on facebook
Share on twitter
Share on linkedin
Share on email
Sharon Lewis
Sharon is a Staff Writer at Jumpstart

RELATED POSTS

How Can Your Company Become More Energy-Efficient

How Can Your Company Become More Energy-Efficient?

Countries and companies are consuming too much energy today. The abrupt power cuts in China are a testimony to that. The country was forced to cut power across factories and towns to meet their energy goals. Energy efficiency—using less energy to do more—does not have to be this challenging and cumbersome, not for large corporations or startups.

Cyberport Venture Capital Forum

How Will Humans and Technology Interact in the Next Decades?

While the world has witnessed a rapid digitalization of our everyday life in the course of the pandemic, attention has been brought to the debate that has long been around–how should humans and technology interact? And how do we prepare for new developments? In response to this, Dr. David Siegel, Co-Chairman and Co-Founder of financial sciences company Two Sigma.

Top 5 NFT Scam

Top 5 NFT Scam

From art pieces like EVERYDAYS: THE FIRST 5000 DAYS by Mike Winkelmann to cryptopunks and memes like Side-eyeing Chloe, the popularity of Non-Fungible Tokens (NFT) has been on the uptick. They have also been blowing up in value in 2021. NFT sale volumes have surged eightfold, reaching US$10.7 billion in the third quarter of 2021.

What Brands Must Know About China’s Evolving Millennial Buyers

What Brands Must Know About China’s Evolving Millennial Buyers

Earlier this year, climate activist Greta Thunberg called out fast fashion consumers during an interview with a fashion magazine. She said, “If you are buying fast fashion, then you are contributing to that industry and encouraging them to expand and encouraging them to continue their harmful process.”

What Is Femtech and Are Femtech Companies on the Rise

What Is Femtech and Are Femtech Companies on the Rise?

Women’s needs have been largely neglected for years. They get fewer job opportunities, excessive household work, subpar pay and little healthcare attention. Well, no more. The rise of FemTech startups (largely women-run) is changing the healthcare landscape for women. As per a report by CBInsights, FemTech will be worth US$50 billion by 2025. So, what is FemTech, and how can you get started?