Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Singapore: PDPC fines Carousell SGD 58,000 for data breach
On February 22, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2209-C0166 in which it issued a fine of SGD 58,000 (approx. $43,140) to Carousell Pte. Ltd. for violation of the Personal Data Protection Act (No. 26 of 2012) (PDPA) following an investigation.
Background to the decision
In particular, the PDPC highlighted that Carousell runs an online marketplace and mobile app for the purchase and sale of second-hand goods. On September 5, 2022, Carousell notified the PDPC of a data breach involving the personal data of 44,477 individuals, and a separate breach, on October 17, 2022, involving the sale of the personal data of at least 2.6 million individuals using Carousell's platform.
Findings of the PDPC
The PDPC found that the first data breach occurred as a result of changes implemented to the chat function, which caused the chat function to automatically append the email addresses and names of guest users to messages to listing owners of all categories in all markets. However, the PDPC noted that Carousell took remedial measures following the first data breach and that the information leaked was basic personal information such as email addresses.
Regarding the second data breach, the PDPC outlined that an API used by Carousell was exploited by a third party which allowed access to non-public personal information associated with users. Accordingly, the PDPC determined that Carousell breached Section 24 of the PDPA by failing to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Specifically, Carousell was found not to have conducted proper pre-launch testing to identify data protection risks and defects, alongside failing to document functional and technical specifications of an app that helps keep track of issues over time.
Outcomes
In light of the above violation of the PDPA, the PDPC imposed the abovementioned fine on Carousell, taking into consideration that Carousell had not previously violated the PDPA and was cooperative with the PDPC's investigation.