Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Singapore: PDPC fines Carousell SGD 58,000 for data breach

On February 22, 2023, the Personal Data Protection Commission (PDPC) published its decision in Case No. DP-2209-C0166 in which it issued a fine of SGD 58,000 (approx. $43,140) to Carousell Pte. Ltd. for violation of the Personal Data Protection Act (No. 26 of 2012) (PDPA) following an investigation.

Background to the decision

In particular, the PDPC highlighted that Carousell runs an online marketplace and mobile app for the purchase and sale of second-hand goods. On September 5, 2022, Carousell notified the PDPC of a data breach involving the personal data of 44,477 individuals, and a separate breach, on October 17, 2022, involving the sale of the personal data of at least 2.6 million individuals using Carousell's platform.

Findings of the PDPC

The PDPC found that the first data breach occurred as a result of changes implemented to the chat function, which caused the chat function to automatically append the email addresses and names of guest users to messages to listing owners of all categories in all markets. However, the PDPC noted that Carousell took remedial measures following the first data breach and that the information leaked was basic personal information such as email addresses.

Regarding the second data breach, the PDPC outlined that an API used by Carousell was exploited by a third party which allowed access to non-public personal information associated with users. Accordingly, the PDPC determined that Carousell breached Section 24 of the PDPA by failing to make reasonable security arrangements to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, or similar risks. Specifically, Carousell was found not to have conducted proper pre-launch testing to identify data protection risks and defects, alongside failing to document functional and technical specifications of an app that helps keep track of issues over time.


In light of the above violation of the PDPA, the PDPC imposed the abovementioned fine on Carousell, taking into consideration that Carousell had not previously violated the PDPA and was cooperative with the PDPC's investigation.

You can read the press release here and the decision here