If Goody Feed requires you to give us your phone number and your credit card details, and somehow leaked it, it probably wouldn’t matter much because no one sane would trust us with their personal details.
But if a company like Grab were to lose your details?
That’s when the saying, shit has hit the fan, comes into play.
After all, Grab has 187 million users across 8 different countries and in Singapore, is the go-to app for private-hire rides, food delivery, and even e-wallet services.
So when it’s found that Grab has accidentally exposed 21,000 users’ personal data to risk of unauthorised access, and it’s the 4th time?
Something has to be done.
Grab Fined $10k After 21K Users’ Personal Data Was Exposed
On 10 Sep 2020, the Personal Data Protection Commission (PDPC) came to a decision regarding Grab’s latest breach, which started with their decision to update the Grab App.
The update was supposed to be patched a vulnerability within the app that’ll allow access to GrabHitch drivers’ data.
However, the update somehow exposed the details of 5,651 drivers to unauthorised access by other drivers.
In total, 21,541 drivers’ and passengers’ personal data was exposed.
The information includes:
- Profile photos
- Passenger names
- Vehicle licence plate numbers
- Wallet balances, which comprised a history of ride payments
- Booking details, e.g. pick-up and drop-off timings
- Driver details, e.g. total number of rides, vehicle models and makes
For the breach, Grab is fined $10,000, to be paid within 30 days.
Rolled Back The Version Within 40 Minutes
On Grab’s part, they immediately rolled back the version 40 minutes after the update.
Grab has also notified the PDPC about the breach and notified the drivers about what happened.
PDPC found Grab guilty because when a company makes any changes to its IT system, it has to implement “reasonable security arrangements”, something which Grab had failed to do.
It was added that this is the second time Grab has made a similar mistake, although the previous one was done on a different system.
Grab has also admitted that they didn’t do any scoped testing before going ahead with the deployment of the update.
4th Time Grab Breached PDPA
This time, Grab has breached Section 24 of the PDPA.
This is also the fourth time Grab has breached the same section, PDPC deputy commissioner Yeong Zee Kin stated.
Grab now has 120 days to put into place “data protection by design policy” for its mobile apps.
For the uninitiated, section 24 basically says a company must protect personal data it either possesses or control by making sure it won’t be exposed to unauthorised persons.
Given how Grab is practically used in every aspect of a person’s life, especially for those who love getting extra Grab Reward Points for using the e-wallet, we hope that Grab makes their system as secure as possible.
You can read PDPC’s full verdict here.