Grab has been fined S$16,000 by the Singapore government for leaking its customers’ data in email marketing campaigns sent to customers who used its ride-sharing services, GrabCar.
The Singapore-based platform aims to be a super-app and allows users to book everything from rides and food delivery to at-home beauticians as well as manage subscription, read news and pay for goods.
The incident, which occurred in December 2017, saw GrabCar sending out 399,751 EDMs to customers but 120,747 of these emails shared the names and mobile numbers of other customers.
For example, an email that was sent to user A, saw user B’s name and mobile phone number included in the email.
Grab claimed the incident was caused by the erroneous assembly of customer information from different database tables and said it reported the breach to Singapore’s Personal Data Protection Commission (PDPC) immediately.
Nevertheless, despite the actions taken by Grab, the PDPC found the platform breached its obligations under PDPA as the information it leaked is considered personal data.
The PDPC commissioner criticised Grab for not putting adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that leaked the data.
However, he said the fine was fair as Grab took immediate action after the breach and took initiative to inform its customers.
The PDPC had previously introduced three new initiatives which aim to promote innovation through trust by holding businesses accountable for the way they collect consumers’ personal data.