The Personal Data Protection Commission imposed a $3,000 financial penalty on DataPost, a business printing and mailing solutions provider, for a data breach that led to leaks of personal financial information.
The commission, which probed the case, said the sensitive nature of the data was an aggravating factor. But it was mitigated by the small scale of the breach as personal data belonging to only two persons was disclosed to a single recipient.
"The data breach could have been avoided if DPL (DataPost) had taken some simple additional measures," said the commission in decision grounds issued on Tuesday.
In a statement to The Straits Times yesterday, the firm said: "Since the incident, we have enforced measures to tighten the procedures. The incident happened in May 2016, (and was) caused by negligence of a staff member.
"We acknowledged the outcome of the case and as a responsible company, we take this very seriously."
DataPost was tasked to print and mail out financial statements relating to a bank's Supplementary Retirement Scheme (SRS) to its customers. But one customer received two additional statements belonging to two other bank customers along with her own SRS statement last June.
The commission found the processes DataPost had in place "did not meet the reasonable standards expected of it"and directed the company to review its relevant internal working procedures, among other things.
Data disclosed in the statements comprised names, addresses, cash balances and details of asset holdings.
At DataPost, the SRS statements were printed on A3 sheets, as formatted, and an enveloping machine was used to cut the statements and insert them individually into their respective mailer envelopes.
The firm's internal investigations showed that human error by the duty operator caused the breach.
The operator had manually checked the first envelope generated by the test run but mistakenly concluded that three statements contained in the first envelope belonged to the same person when they actually belonged to three different persons.
The statements had been placed in the same envelope due to an "operating peculiarity" but he had moved the envelope from the reject bin to the main bin which meant two additional layers of checks were bypassed.
The commission found the processes DataPost had in place "did not meet the reasonable standards expected of it" and directed the company to review its relevant internal working procedures, among other things.
DataPost said yesterday that it will adopt the commission's recommendations to review its procedures, staff training and data protection policies.
It added: "We are committed to constantly reviewing our procedures and working with our customers to prevent such incidents from happening."