GrabCar has been fined S$16,000 after it leaked more than 120,000 marketing emails to customers that includes the name and mobile phone number of another customer.
The Personal Data Protection Commission (PDPC) found that GrabCar, part of the Grab Group, had failed to conduct reasonable security arrangements to detect the errors in their database while sending out the emails.
The commissioner stated that GrabCar had made a great mistake in not providing proper user acceptance testing before the emails were sent out.
PDPC was notified regarding the GrabCar’s error by GrabTaxi Holdings on Jan 5, 2018.
The commissioner said that GrabCar frequently sends out marketing emails offering “special promotions to selected customers”.
As part of the promotion campaign, the company sent out 399,751 marketing emails to customers on Dec 17, 2017. In that 120,747 emails contained the name and mobile phone number of another customer other than the intended recipient.
After the mails were sent, the Customer Experience team at GrabCar was alerted to an increased number of customer queries about the unauthorized disclosure of personal data.
GrabCar detected the cause of the incident due to a mismatched database of customer information that resulted in each affected customer’s name and phone number being disclosed to another individual.
According to the commissioner’s findings, the organization did not take sufficient measures to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk.
The data leak emerged in part due to administrative failures and GrabCar had admitted the “technical documentation” of its verified email database was not sufficiently clear.
The commission found that there were defects in the manner the organization conducted tests as the tests were conducted on only non-verified email addresses instead of on both non-verified and verified email addresses.
Grab stated that it “deeply regrets” the incident. According to a spokesperson, the company reported the issue to the Personal Data Protection Commission (PDPC) soon after the incident was discovered on 17 December 2017.
Grab is committed to comply with the Personal Data Protection Act (PDPA), and apologize for any anxiety caused. However, they requested for a reduction in the financial penalty, mentioning that they alerted the commission voluntarily and implemented a remediation plan.
The plan includes implementing more rigorous data validation and changing its practices to require a third person to perform checking of the data before starting new marketing campaigns. They also planned to mask mobile phone numbers in their future campaigns as well.