Grab Fined $10,000 For Personal Data Breach Involving GrabHitch, It’s The 4th Time This Has Happened

Almost everyone in Singapore who has a phone and goes online would have been subject to spam messages and online scams.

Given that there seems to be an endless number of people trying to use our personal data for shady deeds, it’s really important to ensure that our data is protected.

That’s why it’s concerning when Grab was fined $10,000 for a personal data breach that caused more than 21,000 users’ personal data to be exposed to the risk of unauthorised access.


Incident started with Grab app update

According to a decision reached by the Personal Data Protection Commission (PDPC) and released on Thursday (10 Sep), the incident started with an update to the Grab app on 30 Aug 2019.

Ironically, the update was called to patch a potential vulnerability in the app — an interface that could allow access to the data of GrabHitch drivers.

The update tried to fix the vulnerability, but somehow ended up causing the profile data of 5,651 drivers to be exposed to the risk of unauthorised access by other drivers.


21,541 drivers’ & passengers’ data exposed

As a result, 21,541 GrabHitch drivers’ and passengers’ data was exposed to access by unauthorised persons.

The data that was exposed included:

  1. Profile photos
  2. Passenger names
  3. Vehicle licence plate numbers
  4. Wallet balances, which comprised a history of ride payments
  5. Booking details, e.g. pick-up and drop-off timings
  6. Driver details, e.g. total number of rides, vehicle models and makes

When Grab realised what happened, it rolled back the app to the its pre-updated state within about 40 minutes.

Other steps it took included notifying 5,651 drivers of the incident on the same day, and informing the PDPC of the breach.


Grab found in breach of PDPA

However, PDPC deputy commissioner Yeong Zee Kin found the company in breach of the Personal Data Protection Act (PDPA).

He said when a company makes changes to its IT system that processes personal data, it’s obliged to put in place “reasonable security arrangements” to make sure the data isn’t compromised.

However, Grab failed to do so as its prevention arrangements weren’t robust enough to avoid exposing the data.

This is a “particularly grave error” as it was the 2nd time it made a similar mistake, Mr Yeong said, although the previous incident dealt with a different system.

Grab also didn’t conduct properly scoped testing before deploying the app update.

In fact, it admitted that it didn’t conduct tests to simulate the multiple users accessing the app

The company should have foreseen this situation, considering there’re a large number of GrabHitch drivers, the commissioner added.


4th-time breach is a “cause for concern”

In his decision, Mr Yeong noted that this is the 4th time that Grab has breached Section 24 of the PDPA.

That says that a company must protect personal data in its possession or under its
control by making reasonable security arrangements to prevent exposure to unauthorised persons.

It’s a “significant cause for concern”, he said, as Grab’s operations involves processing a lot of personal data on a daily basis.

To minimise the risk of another data breach, Grab has 120 days to put in place a “data protection by design policy” for its mobile apps, he added.


Grab cooperated with the investigation

In mitigation, it was noted that Grab had cooperated with the investigation and was honest and prompt in responding to queries.

As personal data is easily used improperly in the digital age, such breaches definitely can’t be taken lightly.

It’s understandable that drivers and passengers will be concerned about the breaches, so let’s hope the processes will be tightened so it doesn’t happen again.

Featured image adapted from Facebook.