Singapore’s Personal Data Protection Commission revealed on Thursday that it fined ride-hailing firm Grab SGD 10,000 (USD 7,300) in July for compromising the personal data of more than 21,000 users.

Grab implemented an update to its mobile app on August 30, 2019 in order to address a potential data risk on GrabHitch, the carpooling service which allows regular drivers to provide lifts to commuters. However, an oversight in the update exposed personal data of 21,541 GrabHitch drivers and passengers to the risk of unauthorized access.

Specifically, profile pictures, passenger names, vehicle plate numbers, and wallet balances, including user histories of ride payments were compromised. Addresses, pick-up and drop-off times, and vehicle models were also exposed.

After Grab found out about the potential data risk, the firm removed the update within 40 minutes and attempted to prevent unauthorized transfers by increasing the minimum cash-out amount for GrabHitch wallets to SGD 200,000 (USD 146,000). It also reviewed testing procedures and informed the commission. On September 10, Grab released a new update for its app.

The commission found that Grab did not implement “sufficiently robust processes to manage changes to its IT system” and described the incident as a “particularly grave error.” The incident is Grab’s fourth privacy breach in Singapore since 2018.

Established in 2012, Grab started out as a ride-hailing app before expanding into other verticals, such as food delivery and mobile payments, and now touts itself as Southeast Asia’s leading super app. The firm is present in 351 cities across Southeast Asia and has more than 187 million mobile downloads.