Singapore ride-hailing firm GrabCar has been fined $16,000 for breaching the Personal Data Protection Act.
Out of the 399,751 marketing emails that it sent out, 120,747 of customers’ names and mobile numbers were leaked.
This happened back in December 2017 due to an e-mail mismatch, where the affected customer’s data was disclosed to only one other individual in each case.
To put things in perspective, the e-mail was sent to User A as intended, but User B’s name and mobile phone number was reflected in the e-mail instead.
Shortly after the emails went out, the Customer Experience team at GrabCar was alerted to an increased number of customer queries about the unauthorised disclosure of personal data.
It later found out that the incident was caused by the “erroneous assembly” of customer information from different database tables.
Grab Steps Up Practices
Following the leak, GrabCar promptly notified Personal Data Protection Commission (PDPC) on 5 January 2018 and immediately changed its practices.
“To prevent a recurrence, we had immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns,” said a Grab spokesperson.
GrabCar expressed its regret over this incident and said that it takes data protection and users’ privacy seriously.
“Grab is committed to comply with the Personal Data Protection Act (PDPA), and apologise for any anxiety caused,” said a Grab spokesperson.
Featured Image Credit: Vincent Wee