Online marketplace Carousell has been fined S$58,000 by the Personal Data Protection Commission (PDPC) for two data breach incidents in 2022.

This was disclosed in a press release on Feb. 22 (Thursday).

The first data breach, reported on Sep. 5, 2022, resulted in the leaking of the personal data of 44,777 people across Singapore, Malaysia, Indonesia, Taiwan and the Philippines.

The second data breach, reported on Oct. 17, 2022, led to the personal data of 2.6 million Carousell users being put up for sale on an online forum.

Carousell has admitted that it was liable for the two incidents and was found by PDPC to have taken remedial action following the breaches.

The first breach

According to the published decision by the PDPC dated Dec. 28, 2023,  the first breach took place after Carousell implemented changes to its chat function on Jul. 13, 2022.

The changes were meant to allow users in the Philippines responding to property listings to opt in for their contact details to be automatically appended to these messages.

However, a human error led to a bug which sent email addresses and names of all "guest users" to all listing owners of all markets.

Having not detected the bug yet, Carousell implemented a fix for an unrelated chat functionality issue on Aug. 18, 2022.

However, this resulted in the email addresses and names of "registered users" being sent to all listing owners as well. The phone numbers of users in the Philippines were also revealed.

Carousell only became aware of the bug through a user report on Aug. 18, 2022, and implemented a fix six days later.

By then, the personal data of 44,477 individuals had been disclosed without their consent.

PDPC said they accepted Carousell's explanation that the self-reported names of the users can be found on their profiles and might not be indicative of the users' real names.

Therefore, they do not consider disclosure of the names to be a Personal Data Protection Act (PDPA) breach.

The second incident

The second breach happened after Carousell launched a public-facing Application Programming Interface (API) on Jan. 15, 2022, during a system migration.

The API's original function was to retrieve the personal data of users followed by or following a particular user.

However, as the data called up by the function was not filtered, the non-public information of the users, such as email addresses, telephone numbers and date of birth, could be retrieved using the function.

A "threat actor" was able to exploit the vulnerability and obtain the personal data of a large number of users through 46 accounts that had a large following or large number of followed accounts between May and June 2022.

Though Carousell later discovered the bug and patched it on Sep. 15, 2022. However, as they only checked the 60-day period prior to the data breach, they did not detect any unauthorised access to users' personal data.

Carousell only got wind of the breach when PDPC alerted the platform on Oct. 13, 2022, that someone was offering the personal data of approximately 2.6 million Carousell users for sale on an online forum.

After Carousell investigated the incident and confirmed the data theft was due to the API bug, they confirmed the data breach with PDPC on Oct. 17, 2023.

Carousell identified and blocked the threat actor's account on Oct. 13, 2023, and notified affected users by email subsequently.

Found to have breached PDPA obligations

PDPC found that Carousell had breached its obligations under the Personal Data Protection Act (PDPA) by failing to conduct adequate pre-launch testing for new features.

Carousell admitted that prior to the first incident, it did not do tests to "check how the changes may have affected other users and listings outside the intended category".

PDPC noted that reasonable code reviews and testing would have detected the July 2022 and August 2022 bugs before the changes went live.

Regarding the second incident, PDPC also found that Carousell did not maintain reliable documentation on the functional and technical specifications of its application, which would help to keep track of issues over time.

Carousell admitted that the APIs for the system migration were built in 2016 and "did not have proper documentation".

"As a result, the personnel involved in the system migration may not have been aware of the need to apply the filter to the relevant API post-migration," the platform said.

Carousell will need to review processes, rectify gaps: PDPC

On whether a financial penalty should be imposed, PDPC wrote it recognised that Carousell was cooperative with investigations and took "prompt and effective remediation actions" upon discovering the two breaches.

It also noted that Carousell had not previously contravened PDPA.

PDPA also explained that the threat actor's actions in the second breach were "particularly sophisticated" and that Carousell's API processes and security measures were "adequate in general". Only that despite the measures, the threat actor "took action to remain undetected".

PDPA commended Carousell's "early admission of liability" for its breaches and had considered it as a "significant mitigating factor".

PDPA said,

"An organisation that voluntarily admits to its noncompliance with the PDPA and takes measures to correct such non-compliance is an organisation that demonstrates that it can be responsible for the personal data in its possession or under its control."

Apart from imposing a fine of S$58,000, PDPC also directed Carousell to conduct a review of its internal processes, such as procedures with regard to software testing and documentation of software specifications, and take requisite actions to rectify any gaps identified.

It will also have to furnish PDPC with a report on the review and rectification actions taken.

Top image from Alariss Global website.