Grab fined S$10,000 after personal data of more than 21,000 GrabHitch drivers & passengers exposed

Passenger names and GrabHitch booking details were compromised.

Syahindah Ishak | September 13, 2020, 06:32 PM

21,541 GrabHitch drivers' and passengers' data was exposed to the risk of unauthorised access via the Grab app in 2019.

According to a case report by the Deputy Commissioner of the Personal Data Protection Commission (PDPC), Yeong Zee Kin, the exposed data includes personal information such as:

  • profile pictures
  • passenger names
  • vehicle plate number
  • wallet balance comprising journal history of ride payments
  • GrabHitch booking details (addresses and pickup and drop-off times)
  • driver details (total rides, vehicle model and make)

Fined S$10,000

Consequently, a S$10,000 fine was imposed and a direction was issued to Grab for failing to put in place reasonable security arrangements to prevent the incident from occurring.

Investigations by Grab traced the cause of the incident to an update on the Grab App on Aug. 30, 2019.

The purpose of the update, as written in the report, was to address a "potential vulnerability" discovered within the Grab app.

Steps taken after the data breach

Upon being notified of the incident, Grab rolled back its app to the version prior to the update within approximately 40 minutes.

It also notified 5,651 GrabHitch drivers of the incident on the same day.

Additionally, Grab took the following steps in view of the data breach:

  • Increased the minimum 'cash out' amount for wallets in GrabHitch to S$200,000 to prevent unauthorised transfers.
  • Reviewed its testing procedures including the implementation of mandatory automated tests for all application programming interface endpoints dealing with personal data.
  • Updated governance procedures concerning deployment and security verification on changes to IT systems and applications.
  • Embarked on an architecture review of its legacy applications, and relevant codes which had not been reviewed for an extended period of time.

On Sep. 10, 2019, Grab deployed a new update for its app.

In an official statement to Mothership, a Grab spokesperson stated:

"The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them. When the incident was discovered on 30 August 2019, we took immediate actions to safeguard our users’ data and self-reported it to the Personal Data Protection Commission (PDPC). To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes."

Breached Personal Data Protection Act

PDPC Deputy Commissioner Yeong found that Grab had breached Section 24 of the Personal Data Protection Act (PDPA).

He came to the decision due to two main reasons.

First, Grab did not put in place "sufficiently robust processes" to manage changes to its IT system that may put the personal data it was processing at risk.

"This was a particularly grave error given that this is the second time the organisation is making a similar mistake, albeit with respect to a different system," explained Yeong.

Secondly, Grab did not conduct properly-scoped testing before the update to the Grab App was deployed.

However, Yeong said that he took into account as a mitigating factor Grab's cooperation in the investigation.

It was "prompt and forthcoming" with its responses to queries during the commission's investigations.

He added:

"I have also taken into consideration that this is the fourth time the organisation has been found in breach of Section 24 of the PDPA. Given that the organisation's business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern."

Totally unrelated but follow and listen to our podcast here:

Top image from Grab.