While data breaches are becoming more frequent these days, it is very rare for the same organisation to continuously fall victim to a data breach. Unfortunately, for the ride-hailing service provider, Grab, data breaches continue to haunt the organisation.
In what was reported as the fourth data breach by the organisation, Grab was this time penalised SG$ 10,000 for a personal data breach that has affected more than 21,000 of its users by Singapore’s Personal Data Protection Commission (PDPC).
According to a media release by the commission, on 30th August 2019, Grab notified PDPC that, for a short period of time on the same day, the profile data of 5,651 GrabHitch drivers was exposed to the risk of unauthorised access by other GrabHitch drivers through the Grab App. Grab traced the cause of the incident to the deployment of an update to the Grab App on the same day.
However, the update failed and led to a total of 21,541 GrabHitch drivers’ and passenger’s data to be exposed to the risk of unauthorised access. This data included profile photos, passenger names, vehicle license plate numbers, wallet balances, booking details (which included pick up and drop off timings), as well as driver details which included vehicle models and make.
Upon being notified of the incident, Grab rolled back the Grab app to the version prior to the update within approximately 40 minutes. Grab also embarked on an architecture review of its legacy applications and relevant codes which had not been reviewed for an extended period of time as well as reviewed its testing procedures including implementing mandatory automated tests for all API endpoints dealing with personal data.
While Grab has been cooperating with the investigation, the PDPC felt Grab did not put in place sufficiently robust processes to manage changes to its IT system that may put the personal data it was processing at risk. This was a particularly grave error given that this is the second time Grab has made a similar mistake. In June 2019, Grab was fined SG$ 16,000 for a 2017 incident that arose from an email mismatch, which ended up leaking data of 120,000 customers in marketing emails.
The commission also felt Grab did not conduct enough testing before deploying the update to the app. Grab admitted that it did not conduct tests to simulate multiple users accessing the Grab app, whether concurrently or consecutively. They also admitted that they did not conduct any specific test to verify how the caching mechanism would work in tandem with the update.
What Needs to Be Done?
Interestingly, HackerOne, the bug bounty organisation, does work with Grab to help uncover security bugs and vulnerabilities. CyberSecurity Asean reached out to HackerOne as well as several cybersecurity experts in the region to get their views on the incident and what Grab can do to ensure they don’t suffer data breaches again. As of the time of publication of this article, we have yet to receive any comments from HackerOne.
According to Kevin Reed, Acronis CISO, Grab seemed to make a breaking (i.e., not compatible with the past versions) change in API, without fully understanding the consequences. This caused the caching to interfere with the API working.
Kevin agrees largely with the commissioner's assessment that testing would prevent that from happening, however, in his opinion, the root cause is weak engineering culture at Grab multiplied by the "move fast break things" attitude that many startups embrace. Basically, institutionalised promoting of reckless behaviour at the engineering organisation. While "growth at all costs" is often a mantra at startups, here Grab shifted the cost of their growth over to their customers, whose data were exposed.
“Based on the description, Grab was (apparently, haphazardly) trying to fix another vulnerability that allegedly exposed data of all their users via an API call. First, a vulnerability was introduced, but when they rushed to fix it, they introduced another one instead. It seems like, no one looked at the API design. Companies need to inculcate a security mindset in their engineering teams and make it so that engineers are aware of the security risks of their design decision and able to take the security implications of those decisions into account. It seems to me, Grab engineers were not qualified enough. Second, companies need to change their culture so that not only engineers are capable of understanding the security aspects, but also are willing to take them into account”.
While consumers can’t do much, Kevin believes Governments need to step in to develop and enforce standards that will allow citizens to identify themselves without providing sensitive data to companies. The technical aspect of this problem has long been solved by social networks and other technology companies with specifications like OAuth and OpenID Connect.
“I strongly believe governments, especially in countries like Singapore with strong tech knowledge, should push more for such technologies to be adopted or even made mandatory for organisations with a high risk of exposing personal data. Interestingly, the Singapore government has SG-Verify API that has already laid the technological foundation for that, so it's up to policymakers to push companies to use it. Right now, it seems to only be useful for off-line verification, but the principle is the same”.
Echoing his comments was Jonathan Knudsen, Senior Security Strategist at Synopsis. Jonathan explained that when the software is created, a Secure Software Development Life Cycle (SSDLC) is the best way to improve its security and quality.
“You get better software by making security a concern at every phase of software development and integrating static analysis, software composition analysis and other types of security testing into development processes. The problem for buyers is measuring the security and quality of software. How do you know it works right? How do you know it doesn’t have gaping security holes? The answer is a combination of understanding how the software is made and performing security testing on the finished product”.
Yeo Siang Tiong, General Manager for Southeast Asia at Kaspersky suggested that major e-commerce companies handling millions of data provide their Security Operations Centre (SOC) team with access to the latest threat intelligence and stay up-to-date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
He added endpoint detection and response solutions should also be implemented for endpoint level detection, investigation and timely remediation of incidents. In addition to adopting essential endpoint protection, these companies should also implement a corporate-grade security solution that detects advanced threats at the network level at an early stage.