fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Privacy Watchdog Says It Fined Grab S$10,000 For Potentially Exposing Individuals’ Data

Privacy Watchdog Says It Fined Grab S$10,000 For Potentially Exposing Individuals’ Data

SINGAPORE’S privacy watchdog, in a decision paper made public on Thursday, disclosed that it fined ride-hailing firm GrabCar S$10,000 in July this year, after a 2019 update to its mobile app put the data of more than 21,000 drivers and passengers at risk of unauthorised access.

Yeong Zee Kin, deputy commissioner for personal data protection at the Personal Data Protection Commission (PDPC), said that Grab, in failing to have robust processes to manage changes to its IT system that could put personal data at risk, committed a “grave error”. He noted that it was the second time Grab was making a mistake of this kind, and the fourth time it was breaching a particular section of the Personal Data Protection Act (PDPA).

The incident affected passengers and drivers of the company’s car-pooling service GrabHitch. Data that was at risk of unauthorised access included profile pictures, passenger names, vehicle plate numbers and the wallet balances comprising the journal history of ride payments. Other data that was affected included GrabHitch booking details such as addresses, pick-up and drop-off times, and driver details such as total rides, and vehicle model and make.

On Aug 30, 2019, Grab had rolled out an update to address a potential vulnerability in the app. An application programming interface (API) endpoint allowed GrabHitch drivers to access their data, and the variable “userID” portion in the URL directed data requests to the correct drivers’ accounts.

But the “userID” portion could have potentially been manipulated to allow access to other GrabHitch drivers’ data. Although the update removed the “userID” portion, the company failed to consider the app’s caching mechanism – configured to refresh every 10 seconds – that served cached content in response to data requests.

Without the “userID”, the caching mechanism could no longer differentiate between drivers. As a result, it provided the same data to all GrabHitch drivers for 10 seconds before new data was retrieved and cached for the next 10 seconds.

Upon being notified of the incident, Grab rolled back the app to the version prior to the update within 40 minutes, and notified 5,651 GrabHitch drivers of the incident the same day. Its initial investigations showed that only those drivers were affected.

Grab also increased the minimum “cash out” amount for wallets in GrabHitch to S$200,000 to prevent unauthorised transfers and deployed a new app update on Sept 10, 2019.

Also read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

The deputy commissioner found that Grab introduced changes to its app without understanding how the changes would operate with existing features of the app and its broader IT system, including the caching mechanism.

Furthermore, Grab did not conduct tests to simulate multiple users accessing the app concurrently or consecutively, which were foreseeable scenarios, considering the large number of GrabHitch drivers. No tests were conducted to verify how the caching mechanism would work with the update either.

Grab said that after the incident, it reviewed its testing and governance procedures, and did an architecture review of its legacy applications and relevant codes which had not been reviewed for an extended period of time.

The deputy commissioner further directed the firm to implement a “data protection by design” policy for its mobile applications. On Grab’s repeated violations of the PDPA, Mr Yeong noted that, “given that the organisation’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern”.

Grab has had three other transgressions in the handling of personal data. On June 11 last year, in a similar incident, the company inadvertently disclosed the names and mobile phone numbers of 120,747 customers in marketing e-mails without authorisation. For that, it was fined S$16,000.

On Sept 27, 2018, the company was fined S$6,000 for the unauthorised disclosure of the personal data of GrabHitch drivers online through a Google Forms survey created by Grab.

Grab has also stepped on the toes of regulators overseas. In February, the National Privacy Commission in the Philippines ordered the company to stop the pilot tests and plans to roll out three new data processing systems. It found deficiencies in the passenger “selfie” verification, in-vehicle audio recording and in-vehicle video recording systems that may endanger the privacy rights of the riding public.

Also read: CCTV Law Singapore Edition: Know Your Rights and Responsibilities

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us