Update (23 February 2023, 6:20PM): Carousell provided a statement in regards to the fine from the PDPC, which we’ve included at the end of the original article.
Original article below:
Carousell has been fined SG$58,000 (~RM206,344) by the Singaporean government, over two data breaches that occurred back in 2022. One breach led to the data of at least 2.6 million customers being compromised and put up for sale online, while the other led to 44,000 users from Singapore, Malaysia, Indonesia, Taiwan, and the Philippines being exposed.
In regards to the first Carousell breach, it occurred when the company was implementing changes to its chat function, back in July 2022. As per CNA’s report, the changes were supposed to be limited to users in the Philippines who were specifically responding to property listings – if a user showed interest in a property, their name, email, and phone number would be sent to the owner of said listing automatically.
Unfortunately, due to a case of human error within Carousell, the email addresses and names of guest users were automatically appended to all messages sent to the listing owners. For users in the Philippines, this included their contact numbers as well. This ultimately led to the personal data of 44,477 people being compromised but ultimately, it was found that the company did not breach Singapore’s Personal Data Protection Act.
As for the second Carousell breach, this happened in October 2022. when the marketplace was reportedly launched a public-facing API, after a system migration that occurred months earlier. However, the company’s IT wing had failed to apply a filter on the API, enabling it to call up private data of users, comprising email addresses, phone numbers, as well as dates of birth.
Unsurprisingly, this flaw was exploited by a threat actor who scraped Carousell’s database. This was the breach that affected 2.6 million users, and it wasn’t until Singapore’s Personal Data Protection Commission (PDPC) clued the company in, that it began acting on the information.
Carousell provided a statement regarding the matter:
“We respect the Personal Data Protection Commission’s (PDPC) published decision regarding the Sep and Oct 2022 incidents, which also notes Carousell’s prompt and effective remediation actions to enhance data security and prevent similar incidents from occurring in future. Carousell has been working on addressing the additional recommended remediation steps set out by PDPC in their final decision. Both incidents were isolated one-off incidents that happened due to unrelated bugs that were introduced that have since been fixed. Additionally, the Commission also notes that the threat actor in the Sept Incident was particularly sophisticated in avoiding the security measures Carousell had implemented.
Protecting our users’ personal information has been and will always be of paramount importance to us. To ensure that we maintain a robust and effective security posture, we continually invest significant resources in enhancing our security infrastructure and cyber security efforts.”
(Source: CNA)
