SINGAPORE: GrabCar has been ordered to pay a financial penalty of S$16,000 after it sent out more than 120,000 marketing emails to customers containing the name and mobile phone number of another customer.
The Personal Data Protection Commission (PDPC) found that GrabCar, which is part of the Grab Group, had “failed to make reasonable security arrangements” to detect the errors in their database when sending out the emails.
In the grounds of decision on Tuesday (Jun 11), the commissioner pointed out that GrabCar had made a “grave error” in not conducting “proper user acceptance testing” before the emails were sent out.
PDPC was notified of GrabCar’s error by GrabTaxi Holdings on Jan 5, 2018.
MIX-UP IN DATABASES
The commissioner said that GrabCar frequently sends out marketing emails offering “special promotions to selected customers”.
On Dec 17, 2017, the company sent out 399,751 marketing emails to customers as part of a campaign.
Within that, 120,747 emails contained the name and mobile phone number of another customer other than the intended recipient.
Shortly after the emails went out, the Customer Experience team at GrabCar was alerted to an increased number of customer queries about the unauthorised disclosure of personal data.
GrabCar then traced the cause of the incident to the "erroneous assembly" of customer information from different database tables.
In response to queries from CNA, Grab said that the incident occurred due to a mismatched database, resulting in each affected customer’s name and phone number being disclosed to one other individual.
According to the commissioner's findings, it was not disputed by the company that the personal data was disclosed “mistakenly and without authorisation”.
“The commissioner finds that the organisation did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk,” it was stated.
The commissioner said the data leak arose “in part because of administrative failures” and that GrabCar had admitted the “technical documentation” of its verified email database was not sufficiently clear.
“There were shortcomings in the way the organisation conducted tests.Tests were conducted on non-verified email addresses instead of on both non-verified and verified email addresses.”
The testers did not discover the mismatch because the test email addresses were not verified and therefore not affected when the databases were joined.
“In the circumstances, the commissioner finds that the organisation had failed to make reasonable security arrangements to detect errors when preparing the change, in other words, writing the database query, as well as in failing to conduct proper testing before implementing the change,” said the commissioner.
GRAB "DEEPLY REGRETS" INCIDENT; INTRODUCES NEW PROCESSES
In its statement to CNA, Grab said that it "deeply regrets" the incident.
"Grab takes data protection and our users’ privacy very seriously, and deeply regrets that this incident occurred.
"When the incident was discovered on 17 December 2017, we reported it to the Personal Data Protection Commission (PDPC) immediately," a Grab spokesperson said.
GrabCar had asked for a reduction in the financial penalty, saying it had alerted the commission voluntarily and implemented a remediation plan.
That plan included more rigorous data validation and changing its practices to require a third person to perform “sanity checks” of the data before starting new marketing campaigns.
It said it plans to mask mobile phone numbers in future campaigns as well.
"To prevent a recurrence, we had immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns," the Grab spokesperson added.
"Grab is committed to comply with the Personal Data Protection Act (PDPA), and apologise for any anxiety caused."