Headlines published in the last 30 days are listed on SLW.

GrabCar fined $16,000 for personal data breaches

GrabCar fined $16,000 for personal data breaches

Source: Straits Times
Date Published: 12 Jun 2019
Author: K.C. Vijayan

On Dec 17, 2017, GrabCar sent 120,747 marketing e-mails to customers that contained the name and mobile number of another customer.

Ride-hailing firm GrabCar has been fined $16,000 for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing e-mails.

The 2017 incident arose from an e-mail mismatch, where the affected customer's data was disclosed to only one other individual in each case.

Mr Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said yesterday that GrabCar took immediate action and made changes to its practices.

These changes included requiring "a third person to perform sanity checks of the data before triggering any new campaigns" as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans.

GrabCar is part of the Grab group, which offers services such as food delivery and payments on its mobile platform, in addition to ride hailing.

On Dec 17, 2017, GrabCar sent 399,751 marketing e-mails to a targeted group of customers, but 120,747 of these contained the name and mobile number of another customer.

The e-mail was sent to User A as intended but User B's name and phone number were reflected in the e-mail as that of the intended recipient.

GrabCar found that the incident was caused by the erroneous assemblage of customer information from different database tables.

Although 399,751 marketing e-mails were generated, only customers who had verified their e-mail addresses received the mismatched e-mails.

Mr Tan said GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data.

He added that GrabCar "did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk".

Mr Tan took into account GrabCar's prompt and voluntary notification of the incident and its practice of accountability when imposing the $16,000 penalty.

In a separate case, Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for failing to install security arrangements for GrabHitch drivers to protect passenger data.

GrabHitch matches a passenger with a driver who, for a fee, is willing to give the person a lift on the way to the driver's destination.

This case involved separate complaints by two passengers who used GrabHitch to book carpool rides that were provided by two different drivers on separate occasions.

Mr Yeong ordered GrabCar to review and amend its practices to provide detailed guidance for GrabHitch drivers on the handling and protection of customer data.

He ruled that a financial penalty was not warranted as only two individuals were directly affected.

Source: Straits Times © Singapore Press Holdings Ltd. Permission required for reproduction.




Latest Headlines

No content

A problem occurred while loading content.

Previous Next
1903 STEP UK

Terms Of Use Copyright 2019 by Singapore Academy of Law
Back To Top