Singapore ride-hailing firm GrabCar has been fined $16,000 for breaching the Personal Data Protection Act.

Out of the 399,751 marketing emails that it sent out, 120,747 of customers’ names and mobile numbers were leaked.

This happened back in December 2017 due to an e-mail mismatch, where the affected customer’s data was disclosed to only one other individual in each case.

To put things in perspective, the e-mail was sent to User A as intended, but User B’s name and mobile phone number was reflected in the e-mail instead.

Shortly after the emails went out, the Customer Experience team at GrabCar was alerted to an increased number of customer queries about the unauthorised disclosure of personal data.

It later found out that the incident was caused by the “erroneous assembly” of customer information from different database tables.

Following the leak, GrabCar promptly notified Personal Data Protection Commission (PDPC) on 5 January 2018 and immediately changed its practices.

These changes included requiring “a third person to perform sanity checks of the data before triggering any new campaigns” as well as plans to incorporate privacy by masking mobile phone numbers in marketing plans, said Tan Kiat How, the Commissioner for the PDPC.

PDPC found that GrabCar had “failed to make reasonable security arrangements” to detect the errors in their database when sending out the emails.

In the grounds of decision on Tuesday (Jun 11), the commissioner pointed out that GrabCar had made a “grave error” in not conducting “proper user acceptance testing” before the emails were sent out.

Featured Image Credit: Vincent Wee