Case Details
- Citation: [2020] SGPDPC 14
- Court: Personal Data Protection Commission
- Date: 2020-07-21
- Judges: Yeong Zee Kin, Deputy Commissioner
- Plaintiff/Applicant: -
- Defendant/Respondent: Grabcar Pte Ltd
- Legal Areas: Data Protection – Protection obligation
- Statutes Referenced: Personal Data Protection Act, Personal Data Protection Act 2012
- Cases Cited: [2018] SGPDPC 16, [2018] SGPDPC 23, [2019] SGPDPC 14, [2019] SGPDPC 15, [2019] SGPDPC 20, [2019] SGPDPC 36, [2020] SGPDPC 14
- Judgment Length: 9 pages, 1,609 words
Summary
In this case, the Personal Data Protection Commission (the "Commission") found that Grabcar Pte Ltd (the "Organisation") had breached its obligation under Section 24 of the Personal Data Protection Act 2012 ("PDPA") to protect personal data in its possession or under its control. The breach arose from an incident where the profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorized access by other GrabHitch drivers through the Organisation's mobile application (the "Grab App").
The Commission determined that the Organisation failed to put in place sufficient security arrangements to prevent the unauthorized access, and imposed a financial penalty of S$10,000 on the Organisation. The Commission also directed the Organisation to implement a data protection by design policy for its mobile applications within 120 days.
What Were the Facts of This Case?
Grabcar Pte Ltd is a Singapore-based company that offers ride-hailing transport services, food delivery, and digital payment solutions through its Grab App. The Grab App also provides a carpooling option called "GrabHitch", which matches passengers with drivers willing to give them a lift in return for a fee.
On 30 August 2019, the Organisation notified the Commission that for a short period on the same day, the profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorized access by other GrabHitch drivers through the Grab App (the "Incident"). The Organisation's investigation traced the cause of the Incident to the deployment of an update to the Grab App on the same day (the "Update").
The purpose of the Update was to address a potential vulnerability in the Grab App's application programming interface (API) endpoint (/users/{userID}/profile), which had allowed GrabHitch drivers to access their own data. To fix this vulnerability, the Update removed the variable 'userID' from the URL, shortening it to a hard-coded '/users/profile'.
However, the Organisation failed to consider the impact of this change on the Grab App's URL-based caching mechanism, which was configured to refresh every 10 seconds. Without the 'userID' variable in the URL, the caching mechanism could no longer differentiate between GrabHitch drivers' data requests, and instead provided the same data to all GrabHitch drivers for 10 seconds before retrieving new data from the Organisation's database.
As a result of the Incident, a total of 21,541 GrabHitch drivers' and passengers' personal data was exposed to the risk of unauthorized access, including profile pictures, passenger names, vehicle plate numbers, and wallet balance information.
What Were the Key Legal Issues?
The key legal issue in this case was whether the Organisation had breached its obligation under Section 24 of the PDPA to protect the personal data in its possession or under its control from unauthorized access.
Section 24 of the PDPA requires organisations to "protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks."
How Did the Court Analyse the Issues?
The Commission found that the Organisation had failed to put in place sufficient security arrangements to prevent the unauthorized access to the personal data, for two main reasons:
First, the Organisation did not have robust processes in place to manage changes to its IT systems that could put the personal data it was processing at risk. The Commission noted that this was the second time the Organisation had made a similar mistake, having previously been found in breach of Section 24 of the PDPA for failing to have adequate measures to detect errors introduced by changes to its systems.
Specifically, the Commission found that the Organisation introduced the Update to the Grab App without properly assessing how the changes would interact with the existing caching mechanism. The removal of the 'userID' variable from the URL, which had previously ensured data requests were directed to the correct GrabHitch drivers' accounts, was not adequately tested or evaluated for its potential impact.
Second, the Commission found that the Organisation did not conduct properly scoped testing before deploying the Update. The Organisation admitted that it did not test scenarios involving multiple users accessing the Grab App concurrently or consecutively, nor did it test the interaction between the caching mechanism and the changes introduced by the Update. The Commission emphasized that such pre-deployment testing is critical for organizations to detect and rectify errors that could put personal data at risk.
The Commission concluded that the Organisation's failures in managing the changes to its IT system and conducting inadequate testing amounted to a breach of its obligations under Section 24 of the PDPA to protect the personal data in its possession or under its control.
What Was the Outcome?
Having found the Organisation in breach of Section 24 of the PDPA, the Commission directed the Organisation to pay a financial penalty of S$10,000 within 30 days, failing which interest would accrue on the outstanding amount.
The Commission also directed the Organisation to put in place a data protection by design policy for its mobile applications within 120 days of the date of the direction. This was to help reduce the risk of another data breach occurring in the future.
Why Does This Case Matter?
This case is significant for several reasons:
Firstly, it reinforces the importance of organizations having robust processes in place to manage changes to their IT systems that handle personal data. The Commission has emphasized that organizations must carefully assess the potential impact of such changes and conduct thorough testing to ensure the changes do not compromise the security of personal data.
Secondly, the case highlights the Commission's expectation that organizations will learn from past breaches and take proactive steps to prevent similar incidents from occurring. The fact that this was the fourth time the Organisation had been found in breach of Section 24 of the PDPA was a significant factor in the Commission's decision to impose a financial penalty.
Finally, the case demonstrates the Commission's willingness to take enforcement action, including the imposition of financial penalties, against organizations that fail to fulfill their data protection obligations under the PDPA. This serves as a reminder to all organizations handling personal data in Singapore of the need to prioritize data protection and implement appropriate security measures.
Overall, this case provides valuable guidance for organizations on the importance of robust change management processes, thorough testing, and a proactive approach to data protection compliance, in order to meet their obligations under the PDPA.
Legislation Referenced
- Personal Data Protection Act
- Personal Data Protection Act 2012
Cases Cited
- [2018] SGPDPC 16
- [2018] SGPDPC 23
- [2019] SGPDPC 14
- [2019] SGPDPC 15
- [2019] SGPDPC 20
- [2019] SGPDPC 36
- [2020] SGPDPC 14
Source Documents
This article analyses [2020] SGPDPC 14 for legal research and educational purposes. It does not constitute legal advice. Readers should consult the full judgment for the Court's complete reasoning.