GrabCar fined S$10,000 for 4th user data privacy violation
15 September, 2020
Singapore's privacy watchdog fined ride-hailing app GrabCar S$10,000, saying a 2019 revise put the info of some users vulnerable to unauthorised access in what the watchdog said was a fourth breach of data privacy regulations and "a substantial cause for concern".
In a filing published on Sep 10, the non-public Data Protection Commission (PDPC) explained the update risked the personal data of 21,541 drivers and passengers, including profile pictures, names and car plate numbers, linked to carpooling service GrabHitch.
GrabCar, a product of Southeast Asia's most significant startup Grab Holdings, rolled back the app to the previous version within about 40 mins and took different remedial actions, PDPC said.
"Considering that the organisation's organization involves processing large volumes of personal info every day, this is a significant reason for concern," PDPC explained.
On Aug 30, 2019, GrabCar notified the PDPC that profile data of 5,651 GrabHitch drivers was subjected to the risk of unauthorised access by other GrabHitch motorists for a "short time period on a single day" through the Get app.
Grab's investigations traced the reason for the breach to a good deployment of an update to the app on a single evening, said PDPC deputy commissioner Yeong Zee Kin.
"The objective of the update was to handle a potential vulnerability found out within the Pick up app," he said.
In PDPC's findings, Mr Yeong said the application form programming interface URL which allowed GrabHitch drivers to gain access to their data, had contained a "userID" portion that could potentially be manipulated to allow access to other drivers' data.
According to GrabCar, there is no evidence that this vulnerability was exploited, said PDPC.
To repair the vulnerability, the revise removed the "userID" from the URL, which shortened it to a good hard-coded "users/profile". Even so, it failed to look at the URL-based caching system in the app, that was configured to refresh every 10 seconds.
The mechanism served cached content in response to info requests, in order to decrease the load of immediate access to GrabCar's database.
With the update, all URLs in the Grab iphone app ended with "users/account". Without the "userID" in the URL, which directed data requests to the right GrabHitch driver's accounts, the caching device could no longer differentiate between drivers.
Consequently, the mechanism provided the same info to all or any GrabHitch drivers for 10 seconds before new data was retrieved from GrabCar's data source and cached for the next 10 seconds.
PDPC's Mr Yeong said GrabCar didn't set up "sufficiently robust functions" to control changes to its It again system that may place personal data it had been processing at risk.
"This was an especially grave error considering that this is the second period the (GrabCar) is building a similar mistake, albeit with respect to a different program," he said.
In a statement in response to Reuters' query on Sunday, Grab explained: "To avoid a recurrence, we have since introduced better quality processes, especially regarding our IT environment testing, along with updated governance types of procedures and an architecture review of our legacy application and source codes."
FINED FOR UNAUTHORISED DISCLOSURE OF Client DATA IN 2019
In 2019, GrabCar was ordered to pay a personal penalty of S$16,000 after it delivered more than 120,000 advertising emails to customers containing the name and cellular phone number of another customer.
The PDPC had found that GrabCar “failed to try to make reasonable security arrangements” to find the errors within their data source when sending out the emails.
In the grounds of decision Jun 11 this past year, PDPC remarked that GrabCar had built a “grave error” in not really conducting “right user acceptance testing” prior to the emails were sent out.
Source: www.channelnewsasia.com
TAG(s):