24-2-2024 (SINGAPORE) Online marketplace Carousell has incurred a fine of S$58,000 from the Personal Data Protection Commission (PDPC) following two separate data breach incidents in 2022. The PDPC’s decision, disclosed in a press release on Thursday, highlights the importance of data protection in the digital age.
The first data breach, reported on September 5, 2022, exposed the personal data of 44,777 individuals across Singapore, Malaysia, Indonesia, Taiwan, and the Philippines. The second incident, reported on October 17, 2022, involved the personal data of 2.6 million Carousell users being offered for sale on an online forum.
Carousell acknowledged its liability for both breaches and, according to the PDPC, took remedial action following the incidents.
The PDPC’s published decision dated December 28, 2023, details the sequence of events for the first breach. Carousell implemented changes to its chat function on July 13, 2022, aiming to allow users in the Philippines to opt in for automatic contact details inclusion in property listing responses. Due to a human error, email addresses and names of all “guest users” were sent to all listing owners across markets. An unrelated fix on August 18, 2022, exacerbated the issue, resulting in the disclosure of email addresses, names of “registered users,” and phone numbers of users in the Philippines. Carousell only became aware of the breach on August 18, 2022, through a user report. By then, the personal data of 44,477 individuals had been disclosed without consent.
PDPC accepted Carousell’s explanation that the self-reported names found on profiles might not be indicative of users’ real names, thus not constituting a breach of the Personal Data Protection Act (PDPA).
The second breach occurred after Carousell launched a public-facing Application Programming Interface (API) on January 15, 2022, during a system migration. The API, designed to retrieve user data, inadvertently exposed non-public information, including email addresses, telephone numbers, and dates of birth. A “threat actor” exploited this vulnerability between May and June 2022, obtaining personal data through 46 accounts with a substantial following. Carousell patched the bug on September 15, 2022, but only discovered the breach when alerted by PDPC on October 13, 2022. Carousell identified and blocked the threat actor’s account on October 13, 2023, and notified affected users by email.
PDPC found that Carousell breached PDPA obligations by failing to conduct adequate pre-launch testing and maintain reliable documentation on system specifications.
Despite recognizing Carousell’s cooperation, prompt remediation, and lack of prior contraventions, PDPC imposed a fine of S$58,000. Additionally, Carousell is directed to review its internal processes, including software testing procedures and documentation of software specifications, and rectify any identified gaps.
