SINGAPORE: GrabCar was ordered to pay a $ 16,000 fine after it sent more than 120,000 marketing emails to customers that contained another customer's name and cell phone number.
The Personal Data Protection Commission (PDPC) found that GrabCar, which is part of the Grab Group, "failed to make reasonable security arrangements" to detect errors in their databases when sending e-mails.
In the grounds of the ruling, on Tuesday (11 June), the commissioner pointed out that GrabCar had made a "grave mistake" by not conducting "proper user acceptance tests" before the emails were sent.
The PDPC was notified of the GrabCar error by GrabTaxi Holdings on January 5, 2018.
READ: Seller fined $ 4,000 for coding error that caused the disclosure of NSmen's personal data
MIXING IN DATA BANKS
The commissioner said that GrabCar often sends marketing emails offering "special promotions for selected customers".
On December 17, 2017, the company sent 399,751 marketing emails to customers as part of a campaign.
Within that, 120,747 emails contained the name and cell phone number of another customer other than the intended recipient.
Soon after the emails were sent, the GrabCar Customer Experience team was alerted to a larger number of customer inquiries about unauthorized disclosure of personal data.
GrabCar then traced the cause of the incident to the "mismatch" of customer information from different database tables.
In response to CNA queries, Grab said the incident occurred due to an incompatible database, resulting in the disclosure of the name and phone number of each affected client to another individual.
According to the Commissioner's findings, the company was not contested that personal data were disclosed "by mistake and without authorization".
"The commissioner discovers that the organization did not have adequate measures to detect if the changes made to the system that contained personal data presented errors that jeopardized the personal data that were being processed," he said.
The commissioner said the data leak arose "in part because of administrative flaws" and that GrabCar acknowledged that the "technical documentation" of its verified e-mail database was not clear enough.
"There were flaws in the way the organization ran the tests. The tests were performed on unverified e-mail addresses, not verified and unverified e-mail addresses."
The testers did not discover the incompatibility because the test email addresses were not checked and therefore were not affected when the databases were joined.
"Under these circumstances, the commissioner finds that the organization has failed to take reasonable security precautions to detect errors in preparing the change, in other words, write the query to the database, as well as fail to perform adequate tests before implementing the change "said the commissioner.
GRAB "DEEPLY LAMENT" INCIDENT; PRESENTS NEW PROCESSES
In his statement to CNA, Grab said he "deeply regrets" the incident.
"Grab takes the data protection and privacy of our users very seriously, and deeply regrets that this incident has occurred.
"When the incident was discovered on December 17, 2017, we reported it to the Personal Data Protection Commission (PDPC) immediately," a Grab spokesman said..
GrabCar asked for a reduction in the financial fine, saying it had voluntarily alerted the commission and implemented a remediation plan.
This plan included more rigorous data validation and changing its practices to require a third party to perform "integrity checks" of the data before launching new marketing campaigns.
He said he plans to mask cell phone numbers in future campaigns as well.
"To avoid a recurrence, we immediately put in place more rigorous checks and validations, including new processes that require a third party to perform data integrity checks and mask phone numbers in every marketing campaign, Grab voice.
"Grab is committed to complying with the Personal Data Protection Act (PDPA) and apologizing for any anxiety it may cause."