SINGAPORE'S privacy watchdog, in a decision paper made public on Thursday, disclosed that it fined ride-hailing firm GrabCar S$10,000 in July this year, after a 2019 update to its mobile app put the data of more than 21,000 drivers and passengers at risk of unauthorised access.
Yeong Zee Kin, deputy commissioner for personal data protection at the Personal Data Protection Commission (PDPC), said that Grab, in failing to have robust processes to manage changes to its IT system that could put personal data at risk, committed a "grave error". He noted that it was the second time Grab was making a mistake of this kind, and the fourth time it was breaching a particular section of the Personal Data Protection Act (PDPA).
The incident affected passengers and drivers of the company's car-pooling service GrabHitch. Data that was at risk of unauthorised access included profile pictures, passenger names, vehicle plate numbers and the wallet balances comprising the journal history of ride payments. Other data that was affected included GrabHitch booking details such as addresses, pick-up and drop-off times, and driver details such as total rides, and vehicle model and make.
On Aug 30, 2019, Grab had rolled out an update to address a potential vulnerability in the app. An application programming interface (API) endpoint allowed GrabHitch drivers to access their data, and the variable "userID" portion in the URL directed data requests to the correct drivers' accounts.
But the "userID" portion could have potentially been manipulated to allow access to other GrabHitch drivers' data. Although the update removed the "userID" portion, the company failed to consider the app's caching mechanism - configured to refresh every 10 seconds - that served cached content in response to data requests.
Without the "userID", the caching mechanism could no longer differentiate between drivers. As a result, it provided the same data to all GrabHitch drivers for 10 seconds before new data was retrieved and cached for the next 10 seconds.
Upon being notified of the incident, Grab rolled back the app to the version prior to the update within 40 minutes, and notified 5,651 GrabHitch drivers of the incident the same day. Its initial investigations showed that only those drivers were affected.
Grab also increased the minimum "cash out" amount for wallets in GrabHitch to S$200,000 to prevent unauthorised transfers and deployed a new app update on Sept 10, 2019.
The deputy commissioner found that Grab introduced changes to its app without understanding how the changes would operate with existing features of the app and its broader IT system, including the caching mechanism.
Furthermore, Grab did not conduct tests to simulate multiple users accessing the app concurrently or consecutively, which were foreseeable scenarios, considering the large number of GrabHitch drivers. No tests were conducted to verify how the caching mechanism would work with the update either.
Grab said that after the incident, it reviewed its testing and governance procedures, and did an architecture review of its legacy applications and relevant codes which had not been reviewed for an extended period of time.
The deputy commissioner further directed the firm to implement a "data protection by design" policy for its mobile applications. On Grab's repeated violations of the PDPA, Mr Yeong noted that, "given that the organisation's business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern".
Grab has had three other transgressions in the handling of personal data. On June 11 last year, in a similar incident, the company inadvertently disclosed the names and mobile phone numbers of 120,747 customers in marketing e-mails without authorisation. For that, it was fined S$16,000.
On Sept 27, 2018, the company was fined S$6,000 for the unauthorised disclosure of the personal data of GrabHitch drivers online through a Google Forms survey created by Grab.
Grab has also stepped on the toes of regulators overseas. In February, the National Privacy Commission in the Philippines ordered the company to stop the pilot tests and plans to roll out three new data processing systems. It found deficiencies in the passenger "selfie" verification, in-vehicle audio recording and in-vehicle video recording systems that may endanger the privacy rights of the riding public.