Almost everyone in Singapore who has a phone and goes online would have been subject to spam messages and online scams.
Given that there seems to be an endless number of people trying to use our personal data for shady deeds, it’s really important to ensure that our data is protected.
That’s why it’s concerning when Grab was fined $10,000 for a personal data breach that caused more than 21,000 users’ personal data to be exposed to the risk of unauthorised access.
According to a decision reached by the Personal Data Protection Commission (PDPC) and released on Thursday (10 Sep), the incident started with an update to the Grab app on 30 Aug 2019.
Ironically, the update was called to patch a potential vulnerability in the app — an interface that could allow access to the data of GrabHitch drivers.
The update tried to fix the vulnerability, but somehow ended up causing the profile data of 5,651 drivers to be exposed to the risk of unauthorised access by other drivers.
As a result, 21,541 GrabHitch drivers’ and passengers’ data was exposed to access by unauthorised persons.
The data that was exposed included:
When Grab realised what happened, it rolled back the app to the its pre-updated state within about 40 minutes.
Other steps it took included notifying 5,651 drivers of the incident on the same day, and informing the PDPC of the breach.
However, PDPC deputy commissioner Yeong Zee Kin found the company in breach of the Personal Data Protection Act (PDPA).
He said when a company makes changes to its IT system that processes personal data, it’s obliged to put in place “reasonable security arrangements” to make sure the data isn’t compromised.
However, Grab failed to do so as its prevention arrangements weren’t robust enough to avoid exposing the data.
This is a “particularly grave error” as it was the 2nd time it made a similar mistake, Mr Yeong said, although the previous incident dealt with a different system.
Grab also didn’t conduct properly scoped testing before deploying the app update.
In fact, it admitted that it didn’t conduct tests to simulate the multiple users accessing the app
The company should have foreseen this situation, considering there’re a large number of GrabHitch drivers, the commissioner added.
In his decision, Mr Yeong noted that this is the 4th time that Grab has breached Section 24 of the PDPA.
That says that a company must protect personal data in its possession or under its
control by making reasonable security arrangements to prevent exposure to unauthorised persons.
It’s a “significant cause for concern”, he said, as Grab’s operations involves processing a lot of personal data on a daily basis.
To minimise the risk of another data breach, Grab has 120 days to put in place a “data protection by design policy” for its mobile apps, he added.
In mitigation, it was noted that Grab had cooperated with the investigation and was honest and prompt in responding to queries.
As personal data is easily used improperly in the digital age, such breaches definitely can’t be taken lightly.
It’s understandable that drivers and passengers will be concerned about the breaches, so let’s hope the processes will be tightened so it doesn’t happen again.
Featured image adapted from Facebook.
The kitten will be put up for adoption after its injuries are cured.
The toasts were barely a few centimetres thick.
The boy was trapped inside the lift for over half an hour before being rescued.
The man is known to be a frequent troublemaker.
A total of 13,099 travellers were fined.
He confessed to local police that he ate the dogs.