Singapore’s privacy regulator imposed a S$10,000 (US$7,311) penalty on ride-hailing company GrabCar for a personal-data breach incident last year and raised the alarm on repeated violations.
In August 2019, an update of Grab’s mobile application exposed the personal data of more than 21,500 users to the risk of unauthorized access, according to the Personal Data Protection Commission.
The data that was exposed include:
- Profile photos and passenger names
- Vehicle licence plate numbers
- Wallet balances which comprised the history of ride payments
- Booking details like pick up and drop off timings
- Driver’s details like total number of rides, vehicle models and makes
The breach was related to GrabHitch, Grab’s social carpooling service launched in 2015. According to the announcement by the Singapore’s Personal Data Protection Commission dated 10 September 2020, the glitch was fixed within an hour.
Nevertheless, the Commission has expressed concerns, and said that this is a “particularly grave error” as it was the 2nd time it made a similar mistake. Grab has 120 days to put together a “data protection plan by design policy” for its mobile apps to minimise the risk of another data breach.
“Given that the organization’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern,” Yeong Zee Kin, deputy commissioner for the Personal Data Protection Commission, said in the announcement.
Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, added, “When security incidents happen, those who aren’t prepared — with a software security initiative or incident response plan — must then face the fallout. This usually comes in the form of running from one emergency to the next, until the time and effort is put into making their systems more resilient. However, reputational damage may not provide such a clear-cut path forward in terms of customer trust.”