[BreachExchange] GrabCar fined for unauthorised disclosure of customer data in 120, 000 marketing emails

Wed Jun 12 09:56:01 EDT 2019

https://www.straitstimes.com/singapore/transport/grabcar-fined-16000-over-personal-data-breaches-in-marketing-e-mails

GrabCar has been ordered to pay a financial penalty of S$16,000 after
it sent out more than 120,000 marketing emails to customers containing
the name and mobile phone number of another customer.

The Personal Data Protection Commission (PDPC) found that GrabCar,
which is part of the Grab Group, had “failed to make reasonable
security arrangements” to detect the errors in their database when
sending out the emails.

In the grounds of decision on Tuesday (Jun 11), the commissioner
pointed out that GrabCar had made a “grave error” in not conducting
“proper user acceptance testing” before the emails were sent out.

PDPC was notified of GrabCar’s error by GrabTaxi Holdings on Jan 5, 2018.

MIX-UP IN DATABASES

The commissioner said that GrabCar frequently sends out marketing
emails offering “special promotions to selected customers”.

On Dec 17, 2017, the company sent out 399,751 marketing emails to
customers as part of a campaign.

Within that, 120,747 emails contained the name and mobile phone number
of another customer other than the intended recipient.

Shortly after the emails went out, the Customer Experience team at
GrabCar was alerted to an increased number of customer queries about
the unauthorised disclosure of personal data.

GrabCar then traced the cause of the incident to the "erroneous
assembly" of customer information from different database tables.

In response to queries from CNA, Grab said that the incident occurred
due to a mismatched database, resulting in each affected customer’s
name and phone number being disclosed to one other individual.

According to the commissioner's findings, it was not disputed by the
company that the personal data was disclosed “mistakenly and without
authorisation”.

“The commissioner finds that the organisation did not have adequate
measures in place to detect whether the changes it made to the system
that held personal data introduced errors that put the personal data
it was processing at risk,” it was stated.

The commissioner said the data leak arose “in part because of
administrative failures” and that GrabCar had admitted the “technical
documentation” of its verified email database was not sufficiently
clear.

“There were shortcomings in the way the organisation conducted
tests.Tests were conducted on non-verified email addresses instead of
on both non-verified and verified email addresses.”

The testers did not discover the mismatch because the test email
addresses were not verified and therefore not affected when the
databases were joined.

“In the circumstances, the commissioner finds that the organisation
had failed to make reasonable security arrangements to detect errors
when preparing the change, in other words, writing the database query,
as well as in failing to conduct proper testing before implementing
the change,” said the commissioner.

GRAB "DEEPLY REGRETS" INCIDENT; INTRODUCES NEW PROCESSES

In its statement to CNA, Grab said that it "deeply regrets" the incident.

"Grab takes data protection and our users’ privacy very seriously, and
deeply regrets that this incident occurred.

"When the incident was discovered on 17 December 2017, we reported it
to the Personal Data Protection Commission (PDPC) immediately," a Grab
spokesperson said.

GrabCar had asked for a reduction in the financial penalty, saying it
had alerted the commission voluntarily and implemented a remediation
plan.

That plan included more rigorous data validation and changing its
practices to require a third person to perform “sanity checks” of the
data before starting new marketing campaigns.

It said it plans to mask mobile phone numbers in future campaigns as well.

"To prevent a recurrence, we had immediately put in place more
rigorous data validation and checks, including new processes that
require a third person to perform sanity checks on data as well as
masking phone numbers in all marketing campaigns," the Grab
spokesperson added.

"Grab is committed to comply with the Personal Data Protection Act
(PDPA), and apologise for any anxiety caused."