GrabCar fined for unauthorised disclosure of customer data
SINGAPORE: GrabCar has been ordered to pay a financial penalty of S$16,000 after it sent out more than 120,000 marketing emails to customers containing the name and mobile phone number of another customer.
The Personal Data Protection Commission (PDPC) found that GrabCar, which is part of the Grab Group, had “failed to make reasonable security arrangements” to detect the errors in their database when sending out the emails.
In the grounds of decision on Tuesday (Jun 11), the commissioner pointed out that GrabCar had made a “grave error” in not conducting “proper user acceptance testing” before the emails were sent out.
The commissioner said that GrabCar frequently sends out marketing emails offering “special promotions to selected customers”.
On Dec 17, 2017, the company sent out 399,751 marketing emails to customers as part of a campaign.
Within that, 120,747 emails contained the name and mobile phone number of another customer other than the intended recipient.
GrabCar then traced the cause of the incident to the “erroneous assembly” of customer information from different database tables.
According to the commissioner’s findings, it was not disputed by the company that the personal data was disclosed “mistakenly and without authorisation”.
“The commissioner finds that the organisation did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk,” it was stated.
The commissioner said the data leak arose “in part because of administrative failures” and that GrabCar had admitted the “technical documentation” of its verified email database was not sufficiently clear.
“There were shortcomings in the way the organisation conducted tests.Tests were conducted on non-verified email addresses instead of on both non-verified and verified email addresses.”
The testers did not discover the mismatch because the test email addresses were not verified and therefore not affected when the databases were joined.
“In the circumstances, the commissioner finds that the organisation had failed to make reasonable security arrangements to detect errors when preparing the change, in other words, writing the database query, as well as in failing to conduct proper testing before implementing the change,” said the commissioner.
GrabCar had asked for a reduction in the financial penalty, saying it had alerted the commission voluntarily and implemented a remediation plan.
That plan included more rigorous data validation and changing its practices to require a third person to perform “sanity checks” of the data before starting new marketing campaigns.
It said it plans to mask mobile phone numbers in future campaigns as well.