A cause for concern? Grab slapped with (another) data privacy fine
- Southeast Asia’s most valuable startup, Grab Holdings, had just been fined for its fourth data privacy leak since 2018
Singaporean ride-hailing giant Grab has been fined S$10,000 (US$7,311) by the Singaporean privacy watchdog, the Personal Data Protection Commission (PDPC), for what is being called the fourth data privacy breach that the Southeast Asian tech unicorn has been embroiled in.
Given the super app’s market worth, the fine is more symbolic than anything else but has been called a “cause for concern” by authorities.
A case report by the Deputy Commissioner of the PDPC, Yeong Zee Kin, alleges that the August 2019 update of the popular Grab mobile app unwittingly risked the personal data of 21,541 passengers and drivers, comprising names, profile pictures, and vehicle plate numbers, associated with the GrabHitch carpooling service that the app offers.
Other data exposed included the wallet balance comprising a comprehensive history of ride payments, the addresses, pick up, and drop-off times of GrabHitch rides, and the details of GrabHitch vehicles including the vehicle model and make.
The case report indicates that Grab was able to identify and roll back the app update that caused the data privacy violation, within an hour of learning of the breach. But the company should have had “properly scoped pre-launch tests” of the update before deployment, according to the deputy commissioner.
It was then revealed that this incident was the fourth such data privacy breach in less than two years, raising red flags with the PDPC in regulatory-conscious Singapore, which then levied the S$10,000 fine. Grab app users were expected to number 122 million in 2019, for all its regions.
PDPC commissioner Yeong said that he took into account as a mitigating factor Grab’s cooperation in the investigation, but highlighted the vast amounts of personal data that Grab processes on a regular basis. Grab is estimated to process around 5 million bookings for its ride-hailing feature alone, and the Southeast Asian ‘super app’ also offers diversified digital offerings including food delivery and financial technology (fintech) services in the various territories it is active in.
“I have also taken into consideration that this is the fourth time the organization has been found in breach of Section 24 of the PDPA,” stated Yeong. “Given that the organization’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern.”
In an official statement to Mothership.sg, a Grab spokesperson stated:
“The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them. When the incident was discovered on 30 August 2019, we took immediate actions to safeguard our users’ data and self-reported it to the Personal Data Protection Commission (PDPC).
“To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes.”