Singapore-based tech firm, Grab, has received a $16,000 fine from the city-state’s government after a data breach that saw GrabCar customers’ information leaked through email marketing campaigns.

The company offers an app that allows Singaporeans to read the news, pay for goods, and book anything from ride-sharing services to food delivery, and house-visit beauticians.

The original data breach dates back to December 2017, when GrabCar inadvertently sent 399,751 direct emails to its customers. However, 120,747 of the emails held further data on other customers, such as names and mobile phone numbers.

According to the popular platform, the leak was down to poorly arranged customer data being mixed with other databases. Grab said that the breach was reported to the Singapore Personal Data Protection Commission (PDPC) upon discovery.

Speaking to The Drum, a spokesperson for Grab said:

“Grab takes data protection and our users’ privacy very seriously, and deeply regrets that this incident occurred.

“To prevent a recurrence, we had immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns.”

“Grab is committed to comply with the Personal Data Protection Act (PDPA) and apologise for any anxiety caused."

Grab’s prompt addressing of the situation has not stopped the PDPC from finding the company in breach of data protection standards, due to the personal nature of the data involved in the leak.

Grab has come under fire from the PDPC commissioner for failing to install sufficiently robust systems to pinpoint the real cause of the data leak. However, the PDCP praised Grab for immediately notifying the relevant authorities and potential victims of the breach.


GDPR Summit Series is a global series of GDPR events which will help marketers to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond. Further information and conference details are available at http://www.gdprsummit.london/


comments powered by Disqus