Grab fined by Singapore government for data breach in email marketing campaigns

An email that was sent to user A, saw user B's name and mobile phone number included in the email.

Grab has been fined $16,000 by the Singapore government for leaking its customers' data in email marketing campaigns sent to customers who used its ride-sharing services, GrabCar.

The Singapore-based platform aims to be a super-app and allows users to book everything from rides and food delivery to at-home beauticians as well as manage subscription, read news and pay for goods.

The incident, which occurred in December 2017, saw GrabCar sending out 399,751 EDMs to customers but 120,747 of these emails shared the names and mobile numbers of other customers.

For example, an email that was sent to user A, saw user B's name and mobile phone number included in the email.

Grab claimed the incident was caused by the erroneous assembly of customer information from different database tables and said it reported the breach to Singapore’s Personal Data Protection Commission (PDPC) immediately.

“Grab takes data protection and our users’ privacy very seriously, and deeply regrets that this incident occurred,” a Grab spokesperson told The Drum.

“To prevent a recurrence, we had immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns.”

“Grab is committed to comply with the Personal Data Protection Act (PDPA) and apologise for any anxiety caused."

Nevertheless, despite the actions taken by Grab, the PDPC found the platform breached its obligations under PDPA as the information it leaked is considered personal data.

The PDPC commissioner criticised Grab for not putting adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that leaked the data.

However, he said the fine was fair as Grab took immediate action after the breach and took initiative to inform its customers.

In a separate incident, the PDPC rebuked Grab for failing to hold its GrabHitch drivers accountable when it comes to protecting its customers’ data. GrabHitch is a service by Grab that match journeys between its drivers and commuters heading the same way at the same time.

Two GrabHitch drivers had previously used the personal data of their passengers for other purposes, apart from fulfilling the ride-booking. Grab declined to provide a detailed description of the incidents.

Grab said it is unfortunate that the two of its driver-partners, its term for its drivers, ignored the code of conduct and it has since introduced number masking feature its GrabHitch service to prevent misuse of personal data by its driver-partners.

“We are currently reviewing the decision as we believe there is a lack of clarity on the extent to which an organization is responsible for educating private individuals offering services on a personal capacity, about personal data protection,” the spokesperson told The Drum.

“Grab has made it clear in our code of conduct to all GrabHitch driver-partners that they are not to use personal data of their passengers for any other purpose, apart from fulfilling the ride-booking.”

The PDPC had previously introduced three new initiatives which aim to promote innovation through trust by holding businesses accountable for the way they collect consumers’ personal data.

Join us, it's free.

Become a member to get access to:

  • Exclusive Content
  • Daily and specialised newsletters
  • Research and analysis

Join us, it’s free.

Want to read this article and others just like it? All you need to do is become a member of The Drum. Basic membership is quick, free and you will be able to receive daily news updates.