Ride-hailing firm GrabCar has been fined S$16,000 (RM48,750) for the unauthorised disclosure of the names and mobile numbers of 120,747 customers in marketing emails.
The 2017 incident arose from an email mismatch where the affected customer’s data was disclosed to only one other individual in each case.
Tan Kiat How, the Commissioner for the Personal Data Protection Commission, said on Tuesday that GrabCar took immediate action and made changes to its practices.
These changes included requiring “a third person to perform sanity checks of the data before triggering any new campaigns” as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans.
GrabCar is part of the Grab group, which offers services such as food delivery and payments on its mobile platform in addition to ride hailing.
On Dec 17, 2017, GrabCar sent 399,751 marketing emails to a targeted group of customers but 120,747 of these contained the name and mobile number of another customer.
The email was sent to User A as intended but User B’s name and mobile phone number was reflected in the email as that of the intended recipient.
Although 399,751 marketing emails were generated, only customers who had verified their email addresses received the mismatched emails.
Tan said GrabCar had breached its obligations under the Personal Data Protection Act as customer names and phone numbers are regarded as personal data.
He added that GrabCar “did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk”.
Tan took into account GrabCar’s prompt voluntary notification of the incident and its accountable practices when imposing the S$16,000 penalty.
In a separate case, Deputy Commissioner Yeong Zee Kin issued directions to GrabCar for failing to install security arrangements for GrabHitch drivers to protect passenger data.
GrabCar found that the incident was caused by the erroneous assembly of customer information from different database tables. — The Straits Times/Asia News Network