GrabCar fined S$10,000 for 4th user data privacy violation
SINGAPORE: Singapore’s privacy watchdog fined ride-hailing app GrabCar S$10,000, saying a 2019 update put the data of some users at risk of unauthorised access in what the watchdog said was a fourth breach of data privacy regulations and “a significant cause for concern”.
In a filing published on Sep 10, the Personal Data Protection Commission (PDPC) said the update risked the personal data of 21,541 drivers and passengers, including profile pictures, names and vehicle plate numbers, related to carpooling service GrabHitch.
GrabCar, a unit of Southeast Asia’s largest startup Grab Holdings, rolled back the app to the previous version within about 40 minutes and took other remedial action, PDPC said.
“Given that the organisation’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern,” PDPC said.
On Aug 30, 2019, GrabCar notified the PDPC that profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorised access by other GrabHitch drivers for a “short period of time on the same day” through the Grab app.
Grab’s investigations traced the cause of the breach to a deployment of an update to the app on the same day, said PDPC deputy commissioner Yeong Zee Kin.
“The purpose of the update was to address a potential vulnerability discovered within the Grab app,” he said.
In PDPC’s findings, Mr Yeong said the application programming interface URL which allowed GrabHitch drivers to access their data, had contained a “userID” portion that could potentially be manipulated to allow access to other drivers’ data.
According to GrabCar, there was no evidence that this vulnerability was exploited, said PDPC.
To fix the vulnerability, the update removed the “userID” from the URL, which shortened it to a hard-coded “users/profile”. However, it failed to take into account the URL-based caching mechanism in the app, which was configured to refresh every 10 seconds.
The mechanism served cached content in response to data requests, so as to reduce the load of direct access to GrabCar’s database.
With the update, all URLs in the Grab app ended with “users/profile”. Without the “userID” in the URL, which directed data requests to the correct GrabHitch driver’s accounts, the caching mechanism could no longer differentiate between drivers.
Thus, the mechanism provided the same data to all GrabHitch drivers for 10 seconds before new data was retrieved from GrabCar’s database and cached for the next 10 seconds.
PDPC’s Mr Yeong said GrabCar did not put in place “sufficiently robust processes” to manage changes to its IT system that may put personal data it was processing at risk.
“This was a particularly grave error given that this is the second time the (GrabCar) is making a similar mistake, albeit with respect to a different system,” he said.
In a statement in response to Reuters’ query on Sunday, Grab said: “To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes.”
FINED FOR UNAUTHORISED DISCLOSURE OF CUSTOMER DATA IN 2019
In 2019, GrabCar was ordered to pay a financial penalty of S$16,000 after it sent out more than 120,000 marketing emails to customers containing the name and mobile phone number of another customer.
The PDPC had found that GrabCar “failed to make reasonable security arrangements” to detect the errors in their database when sending out the emails.
In the grounds of decision Jun 11 last year, PDPC pointed out that GrabCar had made a “grave error” in not conducting “proper user acceptance testing” before the emails were sent out.