In a filing published on Sept. 10, the Personal Data Protection Commission (PDPC) said the update risked the personal data of 21,541 drivers and passengers, including profile pictures, names and vehicle plate numbers, related to carpooling service GrabHitch.
Grabcar, a unit of Southeast Asia’s largest startup Grab Holdings, rolled back the app to the previous version within about 40 minutes and took other remedial action, the PDPC said.
“Given that the organisation’s business involves processing large volumes of personal data on a daily basis, this is a significant cause for concern,” the PDPC said.
The regulator also directed Grab to put in place a data protection by design policy, where data protection measures are considered and built into tech systems as they are being developed.
In a statement in response to Reuters’ query on Sunday, Grab said: “To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes.”