Almost everyone in Singapore who has a phone and goes online would have been subject to spam messages and online scams.
Given that there seems to be an endless number of people trying to use our personal data for shady deeds, it’s really important to ensure that our data is protected.
That’s why it’s concerning when Grab was fined $10,000 for a personal data breach that caused more than 21,000 users’ personal data to be exposed to the risk of unauthorised access.
According to a decision reached by the Personal Data Protection Commission (PDPC) and released on Thursday (10 Sep), the incident started with an update to the Grab app on 30 Aug 2019.
Ironically, the update was called to patch a potential vulnerability in the app — an interface that could allow access to the data of GrabHitch drivers.
The update tried to fix the vulnerability, but somehow ended up causing the profile data of 5,651 drivers to be exposed to the risk of unauthorised access by other drivers.
As a result, 21,541 GrabHitch drivers’ and passengers’ data was exposed to access by unauthorised persons.
The data that was exposed included:
When Grab realised what happened, it rolled back the app to the its pre-updated state within about 40 minutes.
Other steps it took included notifying 5,651 drivers of the incident on the same day, and informing the PDPC of the breach.
However, PDPC deputy commissioner Yeong Zee Kin found the company in breach of the Personal Data Protection Act (PDPA).
He said when a company makes changes to its IT system that processes personal data, it’s obliged to put in place “reasonable security arrangements” to make sure the data isn’t compromised.
However, Grab failed to do so as its prevention arrangements weren’t robust enough to avoid exposing the data.
This is a “particularly grave error” as it was the 2nd time it made a similar mistake, Mr Yeong said, although the previous incident dealt with a different system.
Grab also didn’t conduct properly scoped testing before deploying the app update.
In fact, it admitted that it didn’t conduct tests to simulate the multiple users accessing the app
The company should have foreseen this situation, considering there’re a large number of GrabHitch drivers, the commissioner added.
In his decision, Mr Yeong noted that this is the 4th time that Grab has breached Section 24 of the PDPA.
That says that a company must protect personal data in its possession or under its
control by making reasonable security arrangements to prevent exposure to unauthorised persons.
It’s a “significant cause for concern”, he said, as Grab’s operations involves processing a lot of personal data on a daily basis.
To minimise the risk of another data breach, Grab has 120 days to put in place a “data protection by design policy” for its mobile apps, he added.
In mitigation, it was noted that Grab had cooperated with the investigation and was honest and prompt in responding to queries.
As personal data is easily used improperly in the digital age, such breaches definitely can’t be taken lightly.
It’s understandable that drivers and passengers will be concerned about the breaches, so let’s hope the processes will be tightened so it doesn’t happen again.
Featured image adapted from Facebook.
They purchased it for S$378,000 and recently sold it for S$1.518 million.
Some people were also seen cutting the queue to grab multiple packs of cake.
Three opposition parties are gearing up to contest against the PAP in Tampines GRC.
The cat owner said previous grooming sessions were usually gentle when she stayed to watch…
He allegedly became abusive when told that he would be taken off the flight if…
The female car driver, 30, was arrested for careless driving without due care and attention…