Grab Fined $10k After 21K Users’ Personal Data Was Exposed; 4th Time Grab Breached PDPA

Latest Articles

Elderly Woman Caught Stealing Clocks & Watches Repeatedly From Clementi Shop; Daughter of Shop...

For reasons we don't yet know, there are certain things you can get away once you're above the age...

Members of Altar Servers’ Society at S’pore Parish Quit Over Allegations of Inappropriate Behaviour

The Catholic Church in Singapore has investigated accusations of sexual misconduct between a former altar server and multiple underage...

HPB Launches Campaign to Promote Healthy Eating, Lifestyle Habits in Malay/Muslim Community for Ramadan

In an ideal world, brussels sprouts would taste like chocolate cake, sleeping for eight hours would burn as many...

Trainee Lawyer’s Application to be Called to S’pore Bar Denied; Employer Later Found to...

Usually, the process of trainee lawyers being called to the bar is rather uneventful.  According to Justice Choo Han Teck,...

MSF Looking to Amend Adoption Laws & Practices; Include Making Unethical Adoption Illegal, Giving...

The Adoption of Children Act, last revisited more than thirty years ago in 1985, is now under review by...

If Goody Feed requires you to give us your phone number and your credit card details, and somehow leaked it, it probably wouldn’t matter much because no one sane would trust us with their personal details.

But if a company like Grab were to lose your details?

That’s when the saying, shit has hit the fan, comes into play.

After all, Grab has 187 million users across 8 different countries and in Singapore, is the go-to app for private-hire rides, food delivery, and even e-wallet services.

So when it’s found that Grab has accidentally exposed 21,000 users’ personal data to risk of unauthorised access, and it’s the 4th time?

Something has to be done.

Grab Fined $10k After 21K Users’ Personal Data Was Exposed

On 10 Sep 2020, the Personal Data Protection Commission (PDPC) came to a decision regarding Grab’s latest breach, which started with their decision to update the Grab App.

The update was supposed to be patched a vulnerability within the app that’ll allow access to GrabHitch drivers’ data.

However, the update somehow exposed the details of 5,651 drivers to unauthorised access by other drivers.

In total, 21,541 drivers’ and passengers’ personal data was exposed.

The information includes:

  • Profile photos
  • Passenger names
  • Vehicle licence plate numbers
  • Wallet balances, which comprised a history of ride payments
  • Booking details, e.g. pick-up and drop-off timings
  • Driver details, e.g. total number of rides, vehicle models and makes

For the breach, Grab is fined $10,000, to be paid within 30 days.

Rolled Back The Version Within 40 Minutes

On Grab’s part, they immediately rolled back the version 40 minutes after the update.

Grab has also notified the PDPC about the breach and notified the drivers about what happened.

PDPC found Grab guilty because when a company makes any changes to its IT system, it has to implement “reasonable security arrangements”, something which Grab had failed to do.

It was added that this is the second time Grab has made a similar mistake, although the previous one was done on a different system.


Grab has also admitted that they didn’t do any scoped testing before going ahead with the deployment of the update.

4th Time Grab Breached PDPA

This time, Grab has breached Section 24 of the PDPA.

This is also the fourth time Grab has breached the same section, PDPC deputy commissioner Yeong Zee Kin stated.

Grab now has 120 days to put into place “data protection by design policy” for its mobile apps.

For the uninitiated, section 24 basically says a company must protect personal data it either possesses or control by making sure it won’t be exposed to unauthorised persons.

Given how Grab is practically used in every aspect of a person’s life, especially for those who love getting extra Grab Reward Points for using the e-wallet, we hope that Grab makes their system as secure as possible.

Are you angry at someone now, and can’t get him or her out of your mind? Well, watch this video and you’ll know what to do next:

You can read PDPC’s full verdict here.

Read Also: Police Officers Recover Woman’s $35K In Tech Support Scam But Recipient Is An ‘Unknowing Accomplice’

Like writing? Goody Feed is looking for writers! Click here for more info!