+44 (0) 121 582 0192 [email protected]


In the rapidly evolving digital marketplace, the security of personal data has become paramount for both consumers and businesses alike. A recent case involving Carousell, a Singaporean e-commerce giant, has thrown a spotlight on the critical importance of adhering to data protection laws and the consequences of failing to do so. This article delves into the Carousell data breach incidents, the actions taken by the Personal Data Protection Commission (PDPC) in response, and the broader implications for data privacy within the e-commerce sector.


The Incidents

In 2022, Carousell faced two significant data breaches that compromised the personal data of millions of its users. The first incident, rooted in changes to the platform’s chat function, inadvertently led to the exposure of over 44,000 users’ personal information across multiple regions, including Singapore, Malaysia, Indonesia, Taiwan, and the Philippines. This breach was primarily due to human error, which allowed the email addresses, names, and for some users in the Philippines, telephone numbers, to be unintentionally disclosed.

The second breach was more severe, with around 2.6 million users’ data being offered for sale on an online forum. This breach stemmed from an unprotected public-facing application programming interface (API) launched during a system migration process. The absence of a crucial filter in the API resulted in the unauthorised access to users’ private data, including email addresses, telephone numbers, and dates of birth.


PDPC’s Response

The PDPC’s thorough investigation into these incidents led to a fine of S$58,000 (US$43,200) for Carousell, reflecting the serious nature of the breaches and the infringement of the Personal Data Protection Act (PDPA). The commission’s findings highlighted several key issues, including the lack of proper pre-launch testing, inadequate code reviews, and insufficient documentation. These oversights not only facilitated the breaches but also hampered Carousell’s ability to quickly identify and rectify the vulnerabilities.

In its judgment, the PDPC emphasised the need for robust internal processes for software testing and documentation. It acknowledged Carousell’s cooperation and remediation efforts but pointed out that these incidents marked Carousell’s first breach of the PDPA. The PDPC’s decision took into account Carousell’s prompt response and the sophistication of the threat actor in the second breach.


Implications for Data Privacy

The Carousell case serves as a cautionary tale for other businesses operating in the digital domain. It underscores the necessity of stringent data protection measures and the potential repercussions of non-compliance with data privacy laws. The PDPC’s actions reinforce Singapore’s commitment to upholding high standards of personal data protection and serve as a reminder of the importance of continuous vigilance and improvement in data security practices.

For businesses, this case highlights the critical need for comprehensive testing and documentation procedures, especially when implementing new features or undergoing system migrations. Moreover, it demonstrates the value of early admission of liability and proactive engagement with regulatory bodies in mitigating the impact of data breaches.



As e-commerce continues to thrive, the protection of personal data must remain a top priority for businesses. The Carousell data breach incidents and the subsequent PDPC’s actions provide key lessons in the significance of adhering to data protection laws and the necessity for robust cybersecurity measures. By learning from these incidents, companies can better safeguard their customers’ data, maintain trust, and ensure compliance with regulatory requirements, thereby contributing to a safer digital marketplace for all.

In the realm of data privacy, vigilance, responsibility, and transparency are not merely regulatory requirements but fundamental pillars of trust and integrity in the digital age.

Find Out More About Formiti Singapore PDPA Service. Click Here