GrabCar fined $16,000 for personal data breaches

Ride-hailing firm GrabCar has been fined $16,000 for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing e-mails.

The 2017 incident arose from an e-mail mismatch, where the affected customer's data was disclosed to only one other individual in each case.

Mr Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said yesterday that GrabCar took immediate action and made changes to its practices.

These changes included requiring "a third person to perform sanity checks of the data before triggering any new campaigns" as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans.

GrabCar is part of the Grab group, which offers services such as food delivery and payments on its mobile platform, in addition to ride hailing.

On Dec 17, 2017, GrabCar sent 399,751 marketing e-mails to a targeted group of customers, but 120,747 of these contained the name and mobile number of another customer.

The e-mail was sent to User A as intended but User B's name and phone number were reflected in the e-mail as that of the intended recipient.

 
 
 
 

GrabCar found that the incident was caused by the erroneous assemblage of customer information from different database tables.

Although 399,751 marketing e-mails were generated, only customers who had verified their e-mail addresses received the mismatched e-mails.

Mr Tan said GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data.

He added that GrabCar "did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk".

Mr Tan took into account GrabCar's prompt and voluntary notification of the incident and its practice of accountability when imposing the $16,000 penalty.

In a separate case, Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for failing to install security arrangements for GrabHitch drivers to protect passenger data.

GrabHitch matches a passenger with a driver who, for a fee, is willing to give the person a lift on the way to the driver's destination.

This case involved separate complaints by two passengers who used GrabHitch to book carpool rides that were provided by two different drivers on separate occasions.

Mr Yeong ordered GrabCar to review and amend its practices to provide detailed guidance for GrabHitch drivers on the handling and protection of customer data.

He ruled that a financial penalty was not warranted as only two individuals were directly affected.