In eight years, Singapore’s Grab has grown from a regional clone of Uber and Lyft’s ridesharing services to a multifaceted tech company valued at US$14 billion. Adding e-wallet and food delivery services in recent years, Grab has expanded to operate throughout much of Southeast Asia and has floated the idea of going public once the company becomes profitable. The company has faced a number of challenges, however, not the least of which is a string of privacy breaches over the past two years.
The most recent breach saw about 21,500 Grab users and drivers have ridesharing personal information briefly exposed due to a technical error. As an isolated incident it might not merit much attention, but it appears to be part of a pattern that now dates back to 2018. And given that Grab has paid very little in terms of fines assessed due to these violations, it is also a pattern that it may not have incentive to properly address.
Grab’s history of privacy breaches
Grab’s most recent privacy breach occurred in August 2019, exposing tens of thousands of users of the GrabHitch carpooling service. The breach was tied to a buggy update that enabled the private profile information of some users to be viewed by others for about an hour, according to Singapore’s Personal Data Protection Commission (PDPC). The exposed information included profile pictures, names, wallet balances, history of ride payments and vehicle plate numbers.
The PDPC assessed an S$10,000 (US$7,300) fine on GrabCar and ordered that the company create a “data protection by design” policy. Though it is certainly on the low side given the size of the company, the fine on its own might have seemed a reasonable penalty for what was a relatively limited privacy breach if the incident was taken in isolation. However, the PDPC is taking a more active role in regulating the company given that the incident was not isolated and appears to fit a recent pattern of failing to implement adequate testing and precautions.
Yeong Zee Kin, deputy commissioner for the PDPC, said in a statement that “Given that the organization’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern.” The agency’s decision found that Grab did not have “reasonable security arrangements to prevent any compromise to Personal Data Sets” in place and that it did not “conduct properly scoped testing” before deploying the faulty update. The decision did not specify what the “data protection by design” policy should contain but did mandate that it must be in place within 120 days. The policy would require that the company demonstrate that user privacy and security have been considered and implemented at the app design level.
Two of Grab’s prior privacy breaches date back to June of 2019. One of the breaches saw the company receive a S$16,000 (US$11,700) fine when it sent out over 100,000 marketing emails that contained the names and mobile phone numbers of customers. In another incident, some GrabHitch drivers were found to have disclosed the personal information of some of the service’s passengers on social media. The company was not assessed a penalty for the latter incident.
The first privacy breach of the set of four took place in October 2018, when Grab was fined S$6,000 (US$4,400) for an unauthorized disclosure of the personal data of GrabHitch drivers via a public Google Forms survey.
Will Grab’s security practices improve?
Though not yet profitable, Grab is expected to hit an annual revenue of US$2 billion for 2019. At a combined S$32,000 (US$23,400) in penalties for the four violations, the company has lost only about 0.5% of their revenue for one single day of operations. Has the company been given a reason to care?
While the new ultimatum directing the company to implement security at the design level is something of a stronger measure, it appears to be so vague that it hardly eliminates the possibility of similar privacy breaches occurring in the future. If they do, will the company simply be fined another trivial amount?
There are tools in place with which to do more. Singapore’s Personal Data Protection Act is one of the most robust data protection regulations in Asia. It allows for organizations to be fined up to S$1 million for privacy breach incidents, and imprisonment is even a possibility (though the cases described here are nowhere near likely to reaching such extreme levels). Amendments were proposed in May that would increase the maximum fine from S$1 million to up to 10% of an organization’s annual revenue.
Grab is also in the midst of attempting to obtain a banking license in Singapore. It already offers consumer loans and wealth management services to underserved markets in the country, and is courting investors in the hopes of becoming a full-fledged bank able to offer user accounts. The company is looking to partner with AIA Group Limited and Prudential PLC and had been hoping to get agreements in place in October. This would subject the company to stricter data protection and privacy regulations.