GrabCar, the ride-hailing company based out of Malaysia, was recently fined $16,000 for leaking the names and phone number of over 120,000 consumers through marketing emails.
This happened back in 2017 when emails were accidentally sent out to the wrong customers containing someone else's information.
The Commissioner for the Personal Data Protection Commission, Tan Kiat How, stated recently that the company did quickly respond and changed how they sent out emails to avoid this from happening again.
The changes included "a third person to perform sanity checks of the data before triggering any new campaigns" and plans to add more privacy around the information like hiding phone numbers within marketing plans.
GrabCar is a part of Grab, a platform that provides food delivery and payment services through their app.
In late 2017, GrabCar sent nearly 400,000 emails to consumers but around 120,000 of them had the names and phone numbers in them. One customer would be sent the name and number of another of the company's customers.
The company said that the error occurred when consumer information were incorrectly put together in differing databases.
Even though GrabCar sent out 400,00 emails, only the consumers with verified emails were sent the ones with the leaked information.
Tan stated that the company broke the requirements of the Personal Data Protection Act since both the names and phone numbers of consumers are both considered personal data by the law.
He also stated that the company "did not have adequate measures in place to detect whether the changes it made to the system that held personal data introduced errors that put the personal data it was processing at risk."
However he did praise GrabCar's quick acknowledgement of the break and their efforts to fix the situation before deciding on the fine amount.
The Deputy Commissioner, Yeong Zee Kin, gave GrabCar instructions over a different case in which the company didn't put in place the proper security so GrabHitch drivers could properly protect customer information.
GrabHitch puts customers together with drivers willing to give the person a lift to their destination for a price.
This particular incident stems from complaints made by customers who used GrabHitch to set up a carpool ride. Yeong has since told the company to overview their practices and give drivers better procedures to protect customer personal data.
This second incident didn't warrant a fine of any kind.
Join us in Madrid, November 12-15 for the Global Online Marketplaces Summit.