Home News PDPC fines AIA Singapore for failing to protect policyholders’ data

PDPC fines AIA Singapore for failing to protect policyholders’ data


The Singapore-based insurance firm AIA Singapore recently fined for S$ 10,000 by the Personal Data Protection Commission (PDPC) for failing to take proper security arrangements in its letter generation process. The penalty comes after AIA Singapore sent 245 letters, which belonged to various policyholders, to wrong addresses, exposing customers’ sensitive information.

According to the official statement, the insurance company generated the letters on December 22, 2017, and December 27, 2017, that comprised four integrated shield plan premium notice reminder letters, 237 integrated shield plan premium notice letters, three change of payor letters and other sensitive information, sent to only two customers between December 28, 2017, and January 02, 2018.

AIA Singapore stated the issue occurred due to a technical glitch in their system while processing the letters online. “At AIA Singapore, we are serious about safeguarding confidential information entrusted to us, and will continually strive to better serve our customers,” AIA said in a statement.

The PDPC stated that AIA Singapore compromised policyholders’ personal data due to wrong mailing and violated the privacy norms as per section 24 of the Personal Data Protection Act 2012. PDPC also concluded that AIA Singapore did not perform any testing before rolling out the letters and did not check to ensure the accuracy of the letters that the system generated automatically.

Recently, the PDPC fined its computer vendor Option Gift $4,000 for disclosing the personal information of 426 NSmen (National Servicemen) last year. The commission recently stated that it discovered in an investigation that Option Gift violated section 24 of the Personal Data Protection Act by exposing the sensitive information.

The compromised data included sensitive information like log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers of the NSmen from the Singapore Armed Forces (SAF) and Home Team. The issue occurred due to a technical issue in Uniquerewards, online portal maintained by Option Gift, which allows NSmen to redeem credits for service-linked rewards from the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA).

The personal information of the NSmen was leaked when e-mails that are meant to be sent out individually ended up sending it to all the NSmen due to an error in the program script. The PDPC stated that Option Gift had failed to conduct enough testing before deploying the program script.

In order to boost cybersecurity and tackle next-generation cyber threats, the Personal Data Protection Commission of Singapore recently updated the guidelines on data breach notification and accountability. The new guidelines are intended to help companies manage data breaches more effectively.

As per the new procedures, which are expected to be included in the upcoming data protection act, the companies in Singapore should not take more than 30 days to complete an investigation into a suspected data breach. The companies are also required to notify the authorities about the incident before 72 hours after discovering a data breach. The PDPC stated the businesses are required to notify authorities if a breach affects more than 500 individuals. The data intermediaries also need to report potential data breaches to their parent organization within 24 hours after identifying a security incident.