Carousell fined $58k for data breaches

Online marketplace Carousell has been fined $58,000 by the data privacy watchdog for two separate data breaches that took place in 2022, one of which involved data of more than two million users.

The other breach involved the exposure of the personal data of 44,477 Carousell users across Singapore, Malaysia, Indonesia, Taiwan and the Philippines.

The Personal Data Protection Commission (PDPC) published on its website on Feb 22 its decision, laying out why it fined the e-commerce platform for the two breaches.

The first incident, which was reported by The Straits Times in October 2022, involved a database reportedly containing the information of 2.6 million Carousell accounts that had been put on sale on hacking forums for $1,000. The 2GB database was uploaded on Oct 12 that year.

It came about after the launch of a public-facing application programming interface (API) during a system migration process, said the PDPC. An API is a software that allows two applications to communicate with each other.

Its intended function was to retrieve the personal data of users that were either followed by or following a particular Carousell user.

However, a filter was not applied to the function, which would ensure that non-public personal data, including e-mail addresses, telephone numbers and dates of birth, would not be called up.

A threat actor was able to capitalise on this by scraping the data from 46 accounts that had large numbers of users they had followed, or were following them, said the PDPC.

The data had been stolen between May 7 and 13, 2022, as well as on June 25 that year.

The bug was detected on Sept 15 that year, and was patched on the same day.

In its decision, the PDPC said Carousell had initially been unaware of the breach, and was informed about it by the watchdog on Oct 13, 2022.

The PDPC added that the e-commerce platform could not confirm the exact number of people affected, but Carousell estimates that almost 3.4 million people may have had their data compromised.

Meanwhile, the other data breach, which exposed the personal data of 44,477 Carousell users from Singapore, Malaysia, Indonesia, Taiwan and the Philippines, was caused by changes made to Carousell’s chat function on July 13, 2022.

The function was intended for the Philippine market and was meant to append to chat messages a user’s first name, e-mail address and phone number, provided they had given prior consent for this.

Instead, the change led to e-mail addresses and names of users in all markets being appended to chat messages, said the PDPC, which attributed this to “human error”. In the Philippines, users’ telephone numbers were also exposed, it said.

Carousell was made aware of the breach only after a user report on Aug 18, with a fix implemented six days later.

Although names associated with the accounts had been disclosed, the PDPC said it accepted Carousell’s explanation that the names were not necessarily the real names of users, and had been voluntarily given on their profiles.

It added that it did not consider the disclosure of the names relevant in assessing the breaches of the Personal Data Protection Act (PDPA).

The PDPC said Carousell had breached its obligation to protect personal data because it failed to conduct pre-launch testing and failed to document software specifications.

In the smaller data breach, it did not test the changes because they were intended only for select users in the Philippines. It also did not test for data security risks when it implemented the new API.

“Carousell admitted that prior to the second incident, it did not mandate comprehensive code reviews for security issues,” the PDPC added, referring to the breach that affected more than two million users.

There was also a lack of documentation when it came to the software being used, said PDPC.

In the case where changes were made to the chat function, the engineer was not aware that any tweaks made would affect other users.

It possibly also resulted in those involved in the system migration and the launch of the new API not knowing about the need to apply filters.

However, the PDPC said it recognised that Carousell had cooperated with its investigations, and had taken “prompt and effective” steps to remedy the situation after it learnt of both incidents.

Carousell had also not flouted the PDPA before this, and its early admission of liability was considered to be a significant mitigating factor.

The PDPC added that Carousell had adequate security measures put in place, but the hacker was sophisticated in his approach to avoid detection.

Besides the fine, the PDPC also directed Carousell to conduct reviews of its software testing procedures, as well as processes for documenting the specifications of software.

It must also rectify gaps identified in its review and provide a report of the actions taken within 90 days of the PDPC’s decision.