Ride-hailing firm GrabCar has been fined $16,000 for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing e-mails.
The 2017 incident arose from an e-mail mismatch where the affected customer's data was disclosed to only one other individual in each case. Mr. Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said on Tuesday (11 June) that GrabCar took immediate action and made changes to its practices.
GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data These changes included requiring "a third person to perform sanity checks of the data before triggering any new campaigns" as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans.
GrabCar is part of the Grab group, which offers services such as food delivery and payments on its mobile platform in addition to ride hailing. On 17 December 2017, GrabCar sent 399,751 marketing e-mails to a targeted group of customers but 120,747 of these contained the name and mobile number of another customer.
The e-mail was sent to User A as intended but User B's name and mobile phone number was reflected in the e-mail as that of the intended recipient. GrabCar found that the incident was caused by the erroneous assembly of customer information from different database tables.
Although 399,751 marketing e-mails were generated, only customers who had verified their e-mail addresses received the mismatched e-mails.
GrabCar, which is part of the Grab group, took immediate action and made changes to its practices following the e-mail mismatch in 2017 Mr. Tan said GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data.
He added that GrabCar "did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk".
Mr. Tan took into account GrabCar's prompt voluntary notification of the incident and its accountable practices when imposing the $16,000 penalty.
In a separate case, Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for failing to install security arrangements for GrabHitch drivers to protect passenger data.
GrabHitch matches a passenger with a driver who is willing to give the person a lift on the way to the driver's destination in return for a fee. This case involved separate complaints by two passengers who used GrabHitch to book carpool rides that were provided by two different drivers on separate occasions.
Mr. Yeong ordered GrabCar to review and amend its practices to provide detailed guidance for GrabHitch drivers on the handling and protecting customer data. He ruled a financial penalty was not warranted as only two individuals were directly affected.