AIA fined $10k for personal data breach

Insurance firm mistakenly sent 245 letters to just two people due to software error

AIA had mistakenly sent 245 letters meant for various customers to just two people due to a programming error in its software system that auto-generates the letters. ST PHOTO: KELVIN CHNG

Insurance company AIA was fined $10,000 by the Personal Data Protection Commission (PDPC) for mistakenly sending 245 letters meant for various customers to just two people, due to a programming error in its software system that auto-generates the letters.

The bulk of the letters - 237 - were premium notice letters for the company's Integrated Shield Plan, and contained the full names and policy numbers of the intended recipients, as well as premium amounts and due dates.

The letters were sent out between Dec 28, 2017, and Jan 2 last year, with 179 sent to the first recipient and 66 to the second one. AIA learnt of the mix-up after the first recipient posted on social media about his unexpected influx of mail.

A software fix meant to rectify a previous error in AIA's system caused it to reflect the wrong addresses on the affected letters.

The PDPC on Thursday found AIA in breach of Section 24 of the Personal Data Protection Act (PDPA), which requires organisations to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.

Deputy PDPC Commissioner Yeong Zee Kin said insurance data was considered to be personal and of a sensitive nature, and that AIA had neither conducted sufficient testing before rolling out the software fix nor instituted sufficient checks for the accuracy of the letters.

He added that the decision took into consideration the fact that AIA had voluntarily notified the PDPC of the breach and also managed to retrieve 243 letters unopened.

One letter was lost in transit, while the last was sent to the correct recipient.

In a statement, AIA said that it would pay the fine as directed.

The spokesman said: "This was a technical error that occurred in 2017 which we take full responsibility for... We have further strengthened our internal processes to avoid such incidents happening again."

The letters were subsequently re-printed and resent to the intended recipients with the deadlines in their respective letters extended.

AIA also implemented a software function in its records system that checks and validates dispatch addresses printed on auto-generated letters daily.

Such mix-ups seem to be quite common among big companies with bulk printing needs, said lawyer Bryan Tan, who specialises in technology law and data protection.

"But the PDPC also looks at such incidents closely and has laid out the checks expected of companies in quite some detail."

Three insurance firms - AIG, NTUC Income and Aviva - were fined by the PDPC in May last year for inadvertently disclosing insurance documents to the wrong people.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on June 22, 2019, with the headline AIA fined $10k for personal data breach. Subscribe