GrabCar fined $16,000 for personal data leak

Southeast Asia’s leading transportation technology app, GrabCar, has been fined $16,000 by the Singapore government for the unauthorised disclosure of the names and mobile numbers of the company’s customers way back in 2017.

According to a report from Vulcan Post, on December of 2017, GrabCar sent 399,751 marketing e-mails to targeted customers, but 120,747 of these contained the name and mobile number of another customer.

Grab explained that the breach rooted from the erroneous assembly of customer information from different database tables.

In an interview with The Drum, a Grab spokesperson expressed the company’s regret over the incident and said that the company takes data protection and users’ privacy seriously.


“To prevent a recurrence, we had immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns,” the representative said.

GrabCar fined ,000 for personal data leak

“Grab is committed to comply with the Personal Data Protection Act (PDPA) and apologise for any anxiety caused.”

On January of 2018, the Singapore-based platform notified the Personal Data Protection Commission (PDPC) about the leak and immediately implemented some changes in its practices.

Nevertheless, despite the actions taken by Grab, Mr Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said, GrabCar had failed to exercise its obligation under the Personal Data Protection Act.


According to the Commissioner, the company “did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk.” He also added that the data leak stemmed “in part because of administrative failures.”

From these grounds, the commissioner claimed that the Singapore ride-hailing firm had made a “grave error” due to its failure to practice “proper user acceptance testing” before the emails were sent out.

Mr Tan believed that the $16, 000 fine is fair as he took into account GrabCar’s instant and voluntary notice of the incident and its practice of accountability.

In a separate case, Deputy Commissioner Yeong Zee Kin rebuked Grab for its failure to implement security arrangements for GrabHitch drivers to protect customer data.

The company spokesperson is quick to respond to the said news, saying “Grab has made it clear in our code of conduct to all GrabHitch driver-partners that they are not to use personal data of their passengers for any other purpose, apart from fulfilling the ride-booking.”