Carousell faces S$58,000 fine for data breaches affecting millions of users

Carousell’s inadequate testing, undocumented processes, and unfiltered APIs exposed millions of data, resulting in an S$58,000 fine for the breaches.

Carousell, Singapore’s online marketplace, faces a S$58,000 fine from the Personal Data Protection Commission (PDPC) for two distinct data breaches in 2022, impacting a significant 2.6 million users. These breaches exposed the personal information of millions of users, raising concerns about data security practices within the company.

The first breach stemmed from a seemingly minor change to the platform’s chat function in July 2022. This change, intended to streamline communication for property listings in the Philippines, inadvertently resulted in the leakage of email addresses and phone numbers for 44,477 users across various markets. The root cause was attributed to human error, where developers failed to properly test the impact of the changes on users beyond the targeted category. This highlights the importance of thorough testing procedures to identify and address potential vulnerabilities before implementation.


The second breach, however, was far more extensive, exposing the private data of a staggering 2.6 million users. This occurred during a system migration process in January 2022, where an unfiltered application programming interface (API) allowed unauthorized access to sensitive information like email addresses, phone numbers, and even dates of birth. The vulnerability was exploited by a “sophisticated” threat actor, highlighting the evolving tactics employed by malicious individuals to target sensitive data. Notably, Carousell remained unaware of this breach until it was alerted by the PDPC in October 2022, raising questions about the company’s internal monitoring and detection mechanisms.

In its judgment, the PDPC acknowledged Carousell’s cooperation with the investigation and its prompt remediation efforts to address the vulnerabilities. However, the commission also emphasized the severity of the breaches and the potential harm caused to affected users. The lack of proper documentation and inadequate testing procedures were identified as key contributing factors, underlining the importance of robust data security practices within organizations.

The financial sanction imposed upon Carousell serves as a powerful exemplar of the tangible implications associated with data breaches. This incident emphasizes the paramount responsibility of organizations to comply with and uphold data privacy regulations, ensuring the security and integrity of user information entrusted to them.

While the Personal Data Protection Commission (PDPC) recognized Carousell’s efforts to remediate the situation and considered extenuating factors such as their lack of prior transgressions and the sophistication of the threat actor, the broad impact of the breaches necessitates a heightened sense of accountability and prompts the implementation of more stringent data security measures across the industry.