Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

Grab is fined S$10,000 for fourth data breach

By Ken Wong - on 15 Sep 2020, 3:34pm

Grab is fined S$10,000 for fourth data breach

During this breach 20,000 passenger and driver details was exposed on Grab's GrabHitch platform. Yeong Zee Kin, Deputy Commissioner at the PDPC, blamed Grab for not conducting properly scoped testing before the update that resulted in the breach was deployed to the Grab App.

The data that was exposed included:

  • Profile photos and passenger names
  • Vehicle license plate numbers
  • Wallet balances which comprised the history of ride payments
  • Booking details like pick up and drop off timings
  • Driver’s details like total number of rides, vehicle models and makes

Grab had been fined twice before for other data breaches.

A financial penalty of S$6,000 was imposed on Grab in 2018 for failing to make reasonable security arrangements to prevent the unauthorised disclosure of GrabHitch drivers’ personal data. 2019 had them receiving a financial penalty of S$16,000 for failing to protect the personal data of its customers from unauthorised disclosure. In this case, the personal data of a customer was disclosed to one other customer via an email sent out by Grab. 2019 also saw the personal data passengers leaked by GrabHitch drivers without consent on social media. In this case, Grab was told to provide detailed guidance for GrabHitch drivers on the handling of the personal data of their riders to prevent this from occurring again. 

We reached out to Grab for a comment and according to a spokesperson:

The security of data and the privacy of our users is of utmost importance to us, and we are sorry for disappointing them. When the incident was discovered on 30 August 2019, we took immediate actions to safeguard our users’ data and self-reported it to the Personal Data Protection Commission (PDPC). To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes.

Building in security

According to Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, said:

A proactive, security-first approach to business enables organisations to drive down risk and minimise disruptions. Security is the grease that makes the whole engine run better.

He added that to do this, security needs to be built into processes and culture for every organisation as rebuilding workflows and policies become much harder once teams are accustomed to particular processes.