[ad_1]
SINGAPORE: Singapore’s privacy watchdog fined ride-sharing app GrabCar S $ 10,000, saying a 2019 update put some users’ data at risk of unauthorized access in what, according to the watchdog , was a fourth violation of data privacy regulations and “a major cause for concern.” .
In a filing published on September 10, the Personal Data Protection Commission (PDPC) said the update put at risk the personal data of 21,541 drivers and passengers, including profile photos, names and vehicle registration numbers, related to the GrabHitch car sharing service.
GrabCar, a unit of Grab Holdings, the largest startup in Southeast Asia, reverted the app to the previous version in about 40 minutes and took other corrective measures, PDPC said.
“Since the organization’s business involves processing large volumes of personal data on a daily basis, this is a major cause for concern,” said PDPC.
READ: GrabCar fined for unauthorized disclosure of customer data in 120,000 marketing emails
On August 30, 2019, GrabCar notified the PDPC that the profile data of 5,651 GrabHitch drivers were exposed to the risk of unauthorized access by other GrabHitch drivers for a “short period of time on the same day” via the app. Grab.
Grab’s investigations traced the cause of the breach until an app update was rolled out on the same day, PDPC Deputy Commissioner Yeong Zee Kin said.
“The purpose of the update was to address a potential vulnerability discovered within the Grab application,” he said.
In the PDPC findings, Yeong said that the application’s programming interface URL that allowed GrabHitch drivers to access their data contained a “user ID” part that could be manipulated to allow access to the data. from other drivers.
According to GrabCar, there was no evidence that this vulnerability was exploited, PDPC said.
To correct the vulnerability, the update removed the “user ID” from the URL, shortening it to a hard-coded “user / profile”. However, it did not take into account the url-based caching mechanism in the app, which was configured to refresh every 10 seconds.
The mechanism served cached content in response to requests for data, to reduce the burden of direct access to the GrabCar database.
With the update, all URLs in the Grab app ended with “users / profile”. Without the “user ID” in the URL, which directed data requests to the correct GrabHitch controller accounts, the caching mechanism could no longer differentiate between controllers.
Therefore, the mechanism provided the same data to all GrabHitch controllers for 10 seconds before new data was retrieved from the GrabCar database and cached for the next 10 seconds.
PDPC’s Yeong said GrabCar did not put in place “robust enough processes” to manage changes to its IT system that could put the personal data it was processing at risk.
“This was a particularly serious mistake given that this is the second time (GrabCar) has made a similar mistake, albeit with respect to a different system,” he said.
In a statement in response to the Reuters inquiry on Sunday, Grab said: “To avoid a recurrence, we have since introduced more robust processes, especially related to our IT environment testing, along with updated governance procedures and a review of our legacy application architecture and source codes. “
FINED FOR UNAUTHORIZED DISCLOSURE OF CUSTOMER DATA IN 2019
In 2019, GrabCar was ordered to pay a financial penalty of S $ 16,000 after it sent more than 120,000 marketing emails to customers that contained the name and mobile phone number of another customer.
The PDPC found that GrabCar “failed to make reasonable security arrangements” to detect errors in its database when sending the emails.
In the rationale for the June 11 decision last year, PDPC noted that GrabCar had made a “serious mistake” by failing to perform “proper user acceptance tests” before the emails were sent.
