SINGAPORE — E-commerce platform Carousell has been fined S$58,000 over two separate data breaches, one of which led to at least 2.6 million customers’ data being put up for sale on an online forum.
In the other incident, the personal data of more than 44,000 users across Singapore, Malaysia, Indonesia, Taiwan and the Philippines was exposed.
Both breaches happened in 2022 and were detailed in a judgment released on Thursday (Feb 22) by the Personal Data Protection Commission (PDPC).
Carousell, which was founded in Singapore in 2012 and currently has offices at eight locations in Asia, allows consumers to buy and sell new and second-hand goods and services via its website and mobile app. It expanded to include property listings in recent years.
FIRST BREACH
The first data breach took root in July 2022 when Carousell implemented changes to its chat function.
The changes were meant to be limited to users in the Philippines who were responding to property listings. When the users provided prior consent, their first name, email address and phone number would be automatically sent to the owner of the property listing.
Due to human error, however, the email addresses and names of guest users were automatically appended to all messages sent to the listing owners of all categories in all markets. For guest users in the Philippines, their telephone numbers were also leaked.
Carousell did not pick up on this bug at the time. Instead, a month later, it implemented a fix to resolve an unrelated issue with the pre-fill functionality of the chat function.
This worsened the effect of the original bug. Now, instead of just the guest users, the data of registered users were also automatically appended to messages.
On Aug 24, 2022, Carousell fixed the bugs after a user sent in a report.
The bugs led to the personal data of 44,477 people being leaked. This comprised the email addresses of all affected users as well as the mobile phone numbers of users in the Philippines.
While names associated with users’ accounts were also disclosed, the PDPC did not consider this relevant in assessing how Carousell breached the Personal Data Protection Act (PDPA).
The commission accepted Carousell’s explanation that these names were not necessarily indicative of the users’ actual names, and were already listed on the users’ public profiles.
SECOND BREACH
As for the second data leak, the PDPC alerted Carousell to it on Oct 13, 2022 when someone offered about 2.6 million users’ personal data for sale.
The breach arose when Carousell launched a public-facing application programming interface (API) during a system migration process on Jan 15, 2022. An API allows computer programmes to communicate with each other.
However, Carousell inadvertently failed to apply a filter on the API it had launched.
The filter would have ensured that only publicly available data of users who were followed by, or following, a particular Carousell user would be called up.
Because the filter was not present, the API was able to call up the users’ private data comprising email addresses, telephone numbers and dates of birth.
This vulnerability was exploited by a threat actor who scraped the accounts of 46 users with large numbers of users following them, or who were following many other users. This occurred in May and June 2022.
Carousell’s internal engineering team discovered the API bug on Sep 15, 2022 and deployed a patch that same day.
When the company conducted internal investigations to find out if users’ personal data had been accessed without authorisation in the 60 days before it discovered the bug, it did not detect any anomalies.
Carousell remained unaware of this breach till the PDPC informed them of the data sale advertisement.
The judgment did not indicate whether the data was actually sold.
LACK OF PROPER DOCUMENTATION
For the first data breach, PDPC said that Carousell failed to conduct reasonable pre-launch testing when it put in place changes to its chat function.
Carousell admitted that it did not check how the changes could have affected other users and listings outside the intended category, that is, property listings in the Philippines.
PDPC said that reasonable code reviews and testing would have detected the bugs before the changes went live.
For the second data breach, PDPC noted that Carousell selectively performed code reviews and tests during its system migration. It failed to identify the relevant API and test it for data security risks.
It also admitted that it did not mandate comprehensive code reviews for security issues.
In both incidents, PDPC flagged a lack of proper documentation, noting that this can help an organisation keep track of issues over time.
“It can help to provide context to historical changes and reasons why changes were made in a certain way, which would be especially important where new personnel are expected to take over work on the application,” PDPC added.
For the first data breach, the engineer who implemented the changes to Carousell’s chat function was not the original author of the function and did not have the contextual knowledge to realise that such changes would affect other users and categories.
For the second breach, the APIs involved in the system migration were built in 2016 and did not have proper documentation. Carousell admitted that the employees involved may not have been aware that they needed to apply a filter to the relevant API post-migration.
PDPC ordered Carousell to review its internal processes for software testing and documentation, while noting that it had implemented technical measures to correct the issues that led to the data leaks.
PDPC’S DECISION
In determining the financial penalty to be imposed, PDPC took into account some factors like Carousell’s cooperation with investigations, its “prompt and effective remediation actions” when the breaches were discovered, and that it was the first time Carousell breached the PDPA.
Singapore’s data privacy watchdog further noted that the threat actor in the second breach was “particularly sophisticated” in avoiding Carousell’s security measures.
“The organisation’s early admission of liability for its breaches of the protection obligation is considered a significant mitigating factor,” added PDPC.
“An organisation that voluntarily admits to its non-compliance with the PDPA and takes measures to correct such non-compliance is an organisation that demonstrates that it can be responsible for the personal data in its possession or under its control.”
In October 2022, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the PDPA would face a financial penalty of up to S$1 million. CNA
