Singaporean privacy watchdog, Personal Data Protection Commission, has reportedly fined the ride-hailing app Grabcar with S10,000, alleging that a 2019 update has put the data of some users at the risk of unauthorized access calling it a fourth breach of data privacy regulations.
PDPC has further highlighted that this is a significant cause for concern as the organizations business involves the processing of large volumes of personal data on a day-to-day basis. The watchdog has also instructed Grab to put in place a data protection by design policy, that would involve the consideration and incorporation of data protection measures into tech systems through their development course.
Sources cite that the 2019 update has reportedly risked the personal data of 21,541 passengers and drivers, comprising names, profile pictures, and vehicle plate numbers, associated with GrabHitch, added the regulator. Other data privacy violations comprised GrabHitch booking details including driver details, addresses, details regarding the vehicle model and make, and also pick-up and drop-off times.
According to PDPC, Grabcar has reportedly rolled back the app to its last version within a period of 40 minutes and has also taken other remedial action. The company has also highlighted the requirement for preventing a recurrence through the introduction of more robust processes, comprising upgraded governance procedures, IT environment testing, and an architecture review of Grabcars source codes and legacy application.
Yeong Zee Kin, PDPCs Deputy Commissioner for Personal Data Protection, has stated that Grab has committed a grave mistake by failing to have strong processes for the management of changes to its IT infrastructure that could potentially put personal data at risk. He has also added that it was the second time the company had conducted a mistake of this kind, and the fourth time it was violating a particular section of the Personal Data Protection Act (PDPA).