Carousell, the online marketplace found itself in troubled waters as it was fined S$58,000 by the Personal Data Protection Commission (PDPC) of Singapore on Thursday, February 22. This financial penalty stemmed from two distressing data breach incidents that unfolded in the year 2022, shaking the trust of countless users.
The First Incident: A Summer of Unintended Disclosure
The first breach occurred on September 5, 2022, and caused the personal data of 44,477 individuals scattered across Singapore, Malaysia, Indonesia, Taiwan, and the Philippines to be revealed. It was a result of well-intentioned changes made to Carousell’s chat function in July 2022. The alterations aimed to streamline communication, especially for users in the Philippines interested in property listings. However, an unforeseen human error catapulted email addresses and names of “guest users” to unsuspecting listing owners across diverse categories and markets. To compound the error, phone numbers of Filipino users were also inadvertently exposed. Carousell sprang into action upon receiving a user report, laboring diligently to mend the breach by August 24, 2022. Sadly, by then, the damage was already done – personal data had been laid bare without the consent of those affected.
The Second Incident: A Chilly January Revelation
On October 17, 2022, the revelation of the second breach sent shockwaves across Carousell’s bustling digital corridors. This time, the personal data of a staggering 2.6 million Carousell users became the target of malevolent forces. The breach unfurled after Carousell’s launch of a public-facing Application Programming Interface (API) during a routine system migration in January 2022. This API, entrusted with retrieving user data, unwittingly exposed a treasure trove of non-public information – including email addresses, telephone numbers, and dates of birth. Seizing upon this vulnerability, a nefarious actor stealthily accessed the personal data of numerous users through 46 accounts wielding substantial followings. Though Carousell swiftly patched the API bug on September 15, 2022, the breach remained concealed until PDPC sounded the alarm on October 13, 2022, flagging the sale of user data on an obscure online forum.
PDPC Findings and Actions: A Search for Accountability
PDPC’s discerning gaze did not spare Carousell, finding the e-commerce titan culpable of breaching the sanctity of the Personal Data Protection Act (PDPA). The commission’s scrutiny unearthed unsettling truths – Carousell’s oversight in conducting thorough pre-launch testing for new features laid the groundwork for both breaches. Moreover, a glaring absence of comprehensive documentation on the application’s functional and technical specifications hampered the platform’s ability to track and resolve issues effectively.
In light of Carousell’s earnest cooperation with investigations and its proactive steps to mitigate the breaches’ aftermath, PDPC tempered justice with mercy. While imposing a hefty fine of S$58,000, the commission also issued a solemn directive: Carousell must undertake a thorough review of its internal processes. This review encompasses scrutinizing software testing procedures and bolstering documentation practices. Carousell’s compliance will be monitored closely, with a mandate to furnish PDPC with a detailed report outlining review outcomes and corrective actions taken.
Reflections: Navigating the Digital Landscape
Carousell’s saga serves as a poignant reminder of the perils lurking in the digital realm. In an era where online platforms serve as conduits of connection and commerce, safeguarding the sanctity of personal data assumes paramount importance. As guardians of users’ digital footprints, organizations are duty-bound to uphold rigorous data protection measures. Carousell’s tribulations underscore the imperatives of comprehensive testing and meticulous documentation, essential bulwarks against the ever-looming specter of data breaches. In this unfolding narrative of digital evolution, the lessons drawn from Carousell’s trials serve as guiding beacons, illuminating the path towards a safer, more secure digital future.