Singapore-based classified company Carousell has been fined $43,000 U.S. for two separate data breaches, one that saw over 2.6 million users’ data put up for sale on an online forum and a second that hit 44,000 users across Singapore, Malaysia, Indonesia, Taiwan and the Philippines.

Both breaches took place in 2022, with the details revealed in a court decision by the Personal Data Protection Commission (PDPC).

The first violation happened in July when Carousell changed its chat function. Due to human error, Philippines-based users’ phone numbers were leaked, and all 44,477 unregistered email addresses were automatically attached to messages sent to those who had placed property listings across all marketplace categories.

The second data leak happened in October the same year, when Carousell launched an application management interface (API) allowing the migration of 2.6 million users’ data to third-party software. Filtering was not enabled and the API could not protect the data, which consisted of users’ email address, telephone number and date of birth, and which was put up for sale on an online forum following the breach.

To stop further scams, Carousell recently decided to suspend the sale of Taylor Swift concert tickets across all six of its markets, ahead of the singer’s concert in Singapore.

“Selling concert tickets is not prohibited in our community guidelines as we are an open and inclusive marketplace. However, this concert is unique in that we expect many overseas concertgoers who may not know how to adequately protect themselves from local scam tactics,” said Su Lin Tan, Carousell’s chief of staff.

The company will start using new AI-based detection for fake tickets and manual moderators to identify and remove fraudulent listings. Users are also encouraged to help report any scams directly through the “report listing” feature, which is available on both the web and the app.

Related Articles