Grab must review data policies following security breaches

Singapore orders Grab to put in place a "data protection by design policy" after the mobile app platform breaches the country's personal data protection laws multiple times, which security observers say indicate the need for a "serious review".
Written by Eileen Yu, Senior Contributing Editor

Grab must reassess its cybersecurity framework, especially after the mobile app platform reported a series of breaches that compromised its customers' data. The latest security incident has prompted Singapore's Personal Data Protection Commission (PDPC) to impose a fine of SG$10,000 ($7,325) and order a review of the company's data protection policies within 120 days. 

The August 30, 2019, breach came to light when Grab informed the PDPC that changes it made to its mobile app had resulted in the unauthorised access of its drivers. Further investigations later revealed that personal information of 21,541 GrabHitch drivers and passengers was exposed to the risk of unauthorised access, including vehicle numbers, passenger names, and e-wallet balance comprising a history of ride payments. 

Grab had deployed an update to plug a potential vulnerability in its API (application programming interface), but this resulted in the data breach. 

In its report, the PDPC noted that Grab had made changes to its systems without ensuring "reasonable security arrangements" were put in place to prevent any compromise of personal datasets. The lack of sufficiently robust processes to manage changes to its IT systems was a "particularly grave error" since it was the second time the vendor had made a similar mistake, with the first affecting a different system. 

The commission noted that Grab had made changes to its app without understanding how such modifications would operate with existing features of its app and its broader IT system. 

It also did not conduct proper scoping tests before deploying updates to its app, the PDPC said, noting that organisations were obliged to do so before introducing new IT features or changes to their systems. "These tests need to mimic real-world usage, including foreseeable scenarios in a normal operating environment when the changes are introduced. Such tests prior to deployment are critical to enable organisations to detect and rectify errors in the new IT features and/or be alerted to any unintended effects from changes that may put personal data at risk," the commission said. 

It added that Grab had admitted it did not conduct tests to simulate multiple users accessing its app or specific tests to verify how the caching mechanism -- which was the component that resulted in the breach -- would work in tandem with the update.

Underscoring the fact that the company now had breached Section 24 in Singapore's PDPA four times, the PDPC said this was "significant cause for concern" especially given Grab's business involved processing large volumes of personal data on a daily basis. Section 24 outlines the need for organisations to protect personal data in its possession or under its control by making "reasonable security arrangements" to prevent unauthorised access, collection, use, disclosure, copying, modification, or similar risks.

Singapore-based Grab, which started out as a ride-sharing operator, now offers a service portfolio that includes food delivery, digital payments, and insurance. It also announced its bid for a digital bank licence, alongside partner Singtel, in Singapore, where both companies would target "digital-first" consumers and small and midsize businesses. The partnership would lead to a joint entity, in which Grab would own a 60% stake. Grab has operations across eight Asia-Pacific markets including Indonesia, Malaysia, Thailand, and Vietnam.

In addition to the fine, the PDPC also instructed Grab to put it place a "data protection by design policy" for its mobile applications within 120 days, in order to reduce the risk of another data breach.

ZDNet asked Grab several questions including specific areas the company planned to review, security policies it put in place following the initial breach, and steps it had taken to ensure security was built into its various processes as the company introduced new services in recent years.

It did not respond to any of these questions and, instead, replied with a statement it had previously released: "The security of data and the privacy of our users is of utmost importance to us and we are sorry for disappointing them. When the incident was discovered on August 30, 2019, we took immediate actions to safeguard our users' data and self-reported it to the PDPC. To prevent a recurrence, we have since introduced more robust processes, especially pertaining to our IT environment testing, along with updated governance procedures and an architecture review of our legacy application and source codes."

Data policy in need of "serious review"

That it violated the PDPA four times since 2018, seemed to indicate Grab was in need of a "serious review", noted Ian Hall, Synopsys Software Integrity Group's Asia-Pacific manager of client services. In particular, the company should assess its release processes, where required testing and checkpoints must be passed before the release of its app.

Citing a study by Enterprise Strategy Group, he noted that it was common for vulnerable codes to be moved to production, typically due to a company's need to meet deadlines. 

Aaron Bugal, Sophos' global solutions engineer, concurred, noting that Grab's brushes with security was "a classic example" of an organisation that was rapidly expanding, but not scaling their security policies and technical controls proportionately. "Given this is another issue with its application on mobile devices, it would be wise to look at a third-party service that evaluates the security of the app before its release," Bugal told ZDNet in an email interview.

Asked if it was challenging for companies such as Grab, which had rapidly expanded their service portfolio, to ensure security remained robust, Hall said it certainly would be more difficult to maintain increasingly complex apps that covered a wide range of functionalities. 

He explained that certain legacy code sections might not be updated as frequently as newer codes and, at the same time, newer codes also might introduce new vulnerabilities. 

"Developers may tend to focus their efforts on newer codes and going back to fix a vulnerability in the legacy code portions may be more difficult," he said. "This is why it is always better to find and fix issues earlier in the development lifecycle and for security tools to be well integrated to development processes."

Bugal noted that more customer data would be captured as organisations grew their business, and security measures should scale alongside the app and data collected. 

He added that any changes to a company's operational model should incorporate a security architecture from the conceptual stages. "This is not something that's retrospectively bolted on, or thought of, once the changes are released," he said.

According to Hall, developers often inadvertently introduced vulnerabilities because they were not security experts. He noted that some of the most common vulnerabilities emerged from improper use of Google's Android or Apple's iOS mobile platforms, insecure data storage, and insecure communication. 

Bugal added that several organisations also used outdated development tools and would not implement services that evaluated the libraries and shared code that many applications used as a base. "These can sometimes introduce vulnerabilities into an application through no fault of the application developer," he explained. "Using modernised development environments and including security designs and evaluations of applications during the formative and release phases are integral to better security."

He noted that changes to mobile apps typically were automatically accepted by app store fronts and applied to mobile devices upon their release, leaving mobile consumers "at the mercy of the developer to do the right thing" with regards to application design and overall security. 

"As consumers, we should understand what data an organisation is collecting, how they store it, and understand the risk if that data was to ever leak," he said. 

Hall added: "I would recommend users of mobile and other devices keep both their apps and operating systems updated. Also, use apps and providing personal details only to companies and apps that you trust. On the Android platform, we can disable particular permissions on apps that should not have access to them."


Editorial standards