The first data breach took root in July 2022 when Carousell implemented changes to its chat function.
The changes were meant to be limited to users in the Philippines who were responding to property listings. When the users provided prior consent, their first name, email address and phone number would be automatically sent to the owner of the property listing.
Due to human error, however, the email addresses and names of guest users were automatically appended to all messages sent to the listing owners of all categories in all markets.
For guest users in the Philippines, their telephone numbers were also appended to the messages.
Carousell did not pick up on this bug at the time. Instead, a month later, it implemented a fix to resolve an unrelated issue with the pre-fill functionality of the chat function.
This worsened the effect of the original bug. The email addresses and names of registered users were then automatically appended to messages sent to listing owners of all categories in all markets as well.
For users in the Philippines, their telephone numbers were also appended.
On Aug 24, 2022, Carousell fixed the bugs after a user sent in a report.
The bugs led to the personal data of 44,477 people being leaked. This comprised the email addresses of all affected users as well as the mobile phone numbers of users in the Philippines.
While names associated with users’ accounts were also disclosed, the PDPC did not consider this relevant in assessing how Carousell breached the Personal Data Protection Act (PDPA).
The commission accepted Carousell’s explanation that these names were not necessarily indicative of the users’ actual names, and were already listed on the users’ public profiles.
As for the second data leak, the PDPC alerted Carousell to it on Oct 13, 2022 when someone offered about 2.6 million users’ personal data for sale.
The breach arose when Carousell launched a public-facing application programming interface (API) during a system migration process on Jan 15, 2022. An API allows computer programmes to communicate with each other.
However, Carousell inadvertently failed to apply a filter on the API it had launched.
The filter would have ensured that only publicly available data of users who were followed by, or following, a particular Carousell user would be called up.
Because the filter was not present, the API was able to call up the users’ private data comprising email addresses, telephone numbers and dates of birth.
This vulnerability was exploited by a threat actor who scraped the accounts of 46 users with large numbers of users following them, or who were following many other users. This occurred in May and June 2022.
Carousell’s internal engineering team discovered the API bug on Sep 15, 2022 and deployed a patch that same day.
When the company conducted internal investigations to find out if users’ personal data had been accessed without authorisation in the 60 days before it discovered the bug, it did not detect any anomalies.
Carousell remained unaware of this breach till the PDPC informed them of the data sale advertisement.
The judgment did not indicate whether the data was actually sold.