According to a media release, Grab was fined $10,000 for a personal data breach that has affected more than 21,000 of its users. 21,000 users personal data were put at risk of being accessible by unauthorised parties.
The incident started off with an application update that happened on the 30 Aug 2019. The update was initially used to patch a potential vulnerability to the application for hitch drivers. Instead of fixing the bug, the update exposed the profile data of 5,651 users.
This has caused 21,541 of personal data exposed to access by an unauthorised third party.
These data include:
- Profile photos
- Passenger names
- Vehicle licence plate numbers
- Wallet balances, which comprised a history of ride payments
- Booking details, e.g. pick-up and drop-off timings
- Driver details, e.g. total number of rides, vehicle models and makes
When Grab noticed the breach, the updated was already rolled out for as long as 40 minutes. Grab then proceeds to inform the affected users and PDPC of the breach.
When the relevant authorities are deciding on the punishment for the data breach, they had also taken into consideration that this is the fourth time that such an incident had happened.
It is a must for a company to protect the interest of its users. As a preventive measure, Grab was given 120 days to further enhance their application to prevent such data breach.