Grab fined SG$16k for customer data disclosure in over 120,000 marketing emails

Grab has been fined SG$16,000 for unauthorised disclosure of the names and mobile phone numbers of 120,747 GrabCar customers in marketing emails.

According to a report by Singapore's Personal Data Protection Commission (PDPC) the company sent out emails to passengers with information on other consumers due to the erroneous assembly of customer information from different database tables. This came after changes were made to the structure of its customer database since the previous marketing campaign.

Investigations by PDPC said that Grab did not have adequate measures in place to detect whether the changes it made to the system held errors. It also didn't have enough measures to detect administrative failures and shortcomings in the way the company conducted tests.

According to the report, Grab notified the PDPC on 5 January 2018 after its customer experience team reported an "increased number of customer queries" regarding the unauthorised disclosure of their personal data to other customers. Grab confirmed to Marketing the incident, which was discovered on 17 December 2017 and said, "We immediately put in place more rigorous data validation and checks, including new processes that require a third person to perform sanity checks on data as well as masking phone numbers in all marketing campaigns."

Grab regularly conducts marketing campaigns to reach out to targeted customers and they frequently involve sending emails offering special promotions to selected customers, said the report.