Grab fined $10k after breaching data protection laws for fourth time
Ride-hailing operator Grab has been fined $10,000 for failing to secure drivers' and passengers' personal details on its mobile app, the fourth time in two years it has been found to have breached data protection laws.
According to a written decision by the Personal Data Protection Commission (PDPC) published last Thursday, a software update to Grab's ride-hailing app on Aug 30 last year exposed the personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorised access.
The update was meant to fix a potential vulnerability detected by Grab by removing a variable from a link in the app's interface that allows GrabHitch drivers to access their data.
But without this variable, the app could no longer differentiate between drivers and as a result, provided the same data to all drivers for 10 seconds before new data could be retrieved. The data exposed included profile pictures, passenger names and vehicle plate numbers.
Upon being notified of the incident, Grab rolled back the app to the version prior to the update and notified 5,651 GrabHitch drivers that day. It also told PDPC of the breach.
PDPC deputy commissioner Yeong Zee Kin noted that sufficiently robust processes were not put in place to manage changes to Grab's IT system, calling the breach "a particularly grave error", given that it was the second time Grab had made a mistake of this nature.
It was fined $16,000 in June last year for disclosing the names and mobile phone numbers of 120,747 customers in marketing e-mails.
In June last year, no financial penalty was imposed on Grab for another incident involving the disclosure of personal data of some GrabHitch passengers by GrabHitch drivers without consent on social media.
In October 2018, Grab was fined $6,000 for failing to make reasonable security arrangements to prevent the unauthorised disclosure of GrabHitch drivers' personal data.
"The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them," a Grab spokesman said.
To prevent a recurrence, Grab has since introduced more robust processes in its IT environment testing, along with updated governance procedures and a review of legacy application and source codes.