top of page

Carousell Faces Backlash for Data Breach: Lessons Learned

Updated: Apr 22, 2023

Carousell, a popular online marketplace based in Singapore, recently announced that it had suffered a data breach. The breach occurred in February 2021 and resulted in the unauthorized access of user data, including names, phone numbers, and email addresses. The company initially failed to inform affected users of the breach, leading to criticism from users and cybersecurity experts.

Carousell eventually sent out notifications to affected users, informing them of the breach and recommending that they change their passwords. The company stated that it had taken measures to address the breach and enhance its security measures.

Which Obligations were Breached?

The Carousell data breach primarily relates to the company's obligation to protect user data. Companies that collect and process personal data are required to take measures to ensure the security of that data, in accordance with relevant laws and regulations. The breach of user data by Carousell represents a failure to meet this obligation.

Furthermore, Carousell's delay in notifying affected users of the breach is also a breach of its obligations. Under Singapore's Personal Data Protection Act (PDPA), companies are required to notify affected individuals of data breaches in a timely manner. Carousell's failure to do so led to criticism from users and experts.

What Can We Learn from This?

The Carousell data breach highlights the importance of data protection and cybersecurity. Companies that collect and process personal data have a duty to take measures to ensure the security of that data, and to notify affected individuals in the event of a breach. The breach also underscores the importance of transparency and accountability, particularly in the face of a cybersecurity incident.

In addition, the Carousell data breach serves as a reminder to individuals to take steps to protect their personal data. Users of online marketplaces and other digital platforms should take measures such as using strong passwords and enabling two-factor authentication, in order to reduce the risk of unauthorized access to their personal data.

The Carousell data breach serves as a cautionary tale for companies and individuals alike. Companies must take steps to ensure the security of personal data, and to meet their obligations under relevant laws and regulations. Users, on the other hand, must remain vigilant and take steps to protect their personal data.

  1. Today Online. (2021). Carousell notifies users of data breach after keeping it under wraps for over 2 months. Retrieved from

  2. Personal Data Protection Commission. (n.d.). Overview of the Personal Data Protection Act. Retrieved from

  3. Cyber Security Agency of Singapore. (n.d.). Personal Data Protection. Retrieved from


Disclaimer: The information provided on all our blog post is intended for general informational purposes only and does not constitute legal advice. The author and publisher are not liable for any damages or losses resulting from reliance on this information. It is recommended to consult with a legal professional for specific advice regarding PDPA compliance and other related data privacy obligations.

bottom of page