Carousell fined SG$58,000 due to data leaks affecting over 2.6 million

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Online marketplace Carousell has been fined SG$58,000 for failing to put in place reasonable security arrangements to protect the personal data of its platform users in its possession or under its control.

This has led to two breaches, of which, one of them led to at least 2.6 million customers' data being put up for sale on an online forum.

The other resulted to more than 44,000 users' personal data across Singapore, Malaysia, Indonesia, Taiwan and the Philippines to be exposed.

Both breaches happened in 2022 and were detailed in a judgement released by the Personal Data Protection Commission (PDPC) on Thursday (22 February.).

Don't miss: ShopBack fined SG$74,400 after personal data leak affecting millions of customers

First breach

On 13 July 2022, Carousell implemented changes to the chat function. The change was intended to be limited to users in the Philippines responding to property listings. Where such users had provided their prior consent, their first name, email address and phone number would be automatically sent to the owner of the property listing.

However, due to human error, the email addresses and names of guest users were automatically appended to all messages sent to the listing owners of all categories in all markets.

For guest users in Philippines, their telephone numbers were also leaked.

A month later, Carousell implemented a fix to resolve an unrelated issue with the pre-fill functionality of the chat function. However, these changes caused the chat function to send the email addresses and names of registered users as messages to listing owners of all categories in all markets as well, worsening the effect of the July 2022 bug.

For registered and guest users in the Philippines, their telephone numbers were also leaked.

On 23 August 2022, Carousell fixed the bugs after a user sent in a report. As a result of the July 2022 and August 2022 bugs, the personal data of 44,477 individuals, comprising email addresses of all affected users and mobile phone numbers of users in the Philippines, were disclosed without their consent.

The commission accepted Carousell's explanation that these names were not necessarily indicative of the users' actual names and were already listed on the users' public profiles.

Second breach

On 15 January 2022, Carousell launched a public-facing Application Programming Interface (API) during a system migration process. The API's original intended function was to retrieve the personal data of users followed by or following a particular Carousell user.

However, it omitted to apply a filter on that API that would have ensured that only publicly available personal data of the users - user name. name and profile image - would be called up.

Due to the omission of the filter, the API was able to call up non-public personal data of users comprising of their email addresses, telephone numbers and dates of birth.

This vulnerability was eventually exploited by a threat actor who scraped the accounts of 46 users with large numbers of users following them, or who were following many other users. This occurred in May and June 2022.

Carousell’s internal engineering team discovered the API bug on 15 September 2022 and deployed a patch that same day. Carousell conducted internal investigations but did not detect any anomalies within a 60-day period.

Carousell remained unaware of the exploitation by the threat actor until 13 October 2022 when it was alerted by the commission that an individual was offering the personal data of approximately 2.6 million Carousell users for sale on an online forum.

Carousell conducted investigations and confirmed that the data had been exfiltrated as a result of the vulnerabilities caused by the API Bug. On 17 October 2022, Carousell notified the commission of the data breach.

"We respect the Personal Data Protection Commission’s (PDPC) published decision regarding the Sep and Oct 2022 incidents, which also notes Carousell’s prompt and effective remediation actions to enhance data security and prevent similar incidents from occurring in future," said a Carousell spokesperson when MARKETING-INTERACTIVE reached out.

"Carousell has been working on addressing the additional recommended remediation steps set out by PDPC in their final decision. Both incidents were isolated one-off incidents that happened due to unrelated bugs that were introduced that have since been fixed. Additionally, the Commission also notes that the threat actor in the September incident was particularly sophisticated in avoiding the security measures Carousell had implemented."

"Protecting our users’ personal information has been and will always be of paramount importance to us. To ensure that we maintain a robust and effective security posture, we continually invest significant resources in enhancing our security infrastructure and cyber security efforts," the Carousell spokesperson added.

This news comes after it was revealed that Carousell co-founder Lucas Ngoo is stepping down from day-to-day management after over 11 years at the company. This will come into effect on 29 February 2024.

"Our co-founder Lucas Ngoo has made a personal decision to take a break from day-to-day management," said a Carousell spokesperson when MARKETING-INTERACTIVE reached out at the time. As co-founder, Ngoo had launched the marketplace in 2012 in Singapore, before expanding it across eight markets in Asia.

Despite stepping down from day-to-day management, Ngoo will continue to have full vested interests in the success of Carousell as a co-founder and board director. In addition, Ngoo will play an advisory role while the Carousell Group leadership team will continue to drive the business forward.

Join us this coming 24 - 25 April for #Content360, a two-day extravaganza centered around four core thematic pillars: Explore with AI; Insight-powered strategies; Content as an experience; and Embrace the future. Immerse yourself in learning to curate content with creativity, critical thinking, and confidence with us at Content360!

share on