SINGAPORE: The Personal Data Protection Commission (PDPC) has imposed a fine of S$58,000 to online marketplace Carousell over two data breach incidents that occurred in 2022.
The company had failed “to put in place reasonable security arrangements to protect the personal data of its platform users in its possession or under its control,” PDPC said on Feb 22. The company has also since been directed to review software testing procedures, processes and procedures for documenting functional and technical specifications of software as well as correct any gaps found from the reviews.
Carousell operates in a number of markets, including Singapore, Malaysia, Taiwan, the Philippines, and Indonesia.
PDPC learned about the first incident on Sept 5, 2022, which involved the unauthorised disclosure of the personal data of 44,477 people in Singapore, Malaysia, Indonesia, Taiwan and the Philippines. On Oct 17 of that year, the company told PDPC about the second incident, where the personal data of at least 2.6 million Carousell users had been sold.
The first incident, dated July 2022, occurred after Carousell implemented changes to the chat function, when because of human error, “the changes caused the chat function to automatically append the email addresses and names of Guest Users to messages to listing owners of all categories in all markets.”
Furthermore, guest users in the Philippines—those who do not have registered accounts—also had their telephone numbers attached to the messages. Carousell was able to fix this issue by the following month, but only after the personal data of 44,477 individuals “comprising email addresses of all affected users and mobile phone numbers of users in the Philippines were disclosed without their consent.”
The second incident can be traced back to Jan 15, 2022, when in the course of a system migration, Carousell launched a public-facing Application Programming Interface, which was meant to retrieve the personal data of users followed by or following a particular user.
The function could also retrieve other information about the users, including email addresses, telephone numbers, and date of birth.
Between May and June of that year, a threat actor obtained the personal data of numerous users through 46 accounts that had a large following or large number of followed accounts.
Carousell resolved the issue by Sept 15, 2022, but by the following month, was informed by PDPC that at an online forum, a person was selling the personal data of approximately 2.6 million Carousell users.
PDPC found that while the first incident did not breach the Personal Data Protection Act (PDPA), the second one did, as the company had failed to carry out sufficient pre-launch testing for new features.
Aside from the fine and review of its security, Carousell will also need to provide a report of the review and rectifications made to PDPC. /TISG
Read also: Man scams MacBook buyers on Carousell; sends them dummy items after they pay