Insurance company AIA fined $10,000 by PDPC for personal data breach

AIA had mistakenly sent 245 letters meant for various customers to just two people due to a programming error in its software system that auto-generates the letters.
AIA had mistakenly sent 245 letters meant for various customers to just two people due to a programming error in its software system that auto-generates the letters.ST PHOTO: KELVIN CHNG

SINGAPORE - Insurance company AIA was fined $10,000 by the Personal Data Protection Commission (PDPC) for mistakenly sending 245 letters meant for various customers to just two people due to a programming error in its software system that auto-generates the letters.

The bulk of the letters (237) were premium notice letters for the company's Integrated Shield Plan, and contained full names and policy numbers of the intended recipients, as well as premium amounts and due dates.

The letters were sent out between Dec 28, 2017, and Jan 2 last year, with 179 sent to the first recipient and 66 to the second one.

AIA learnt of the mix-up after the first recipient posted on social media on his unexpected influx of mail.

A software fix meant to rectify a previous error in AIA's system caused it to reflect the wrong dispatch addresses on the affected letters.

The PDPC on Thursday (June 20) found AIA in breach of section 24 of the Personal Data Protection Act (PDPA), which requires organisations to make reasonable security arrangements to protect the personal data that they possess or control, and to prevent unauthorised access, collection, use, disclosure or similar risks.

Deputy PDPC Commissioner Yeong Zee Kin noted in decision grounds that insurance data was considered to be personal and of a sensitive nature, and that AIA had not conducted sufficient testing before rolling out the software fix or instituted sufficient checks for the accuracy of the auto-generated letters.

He added that the decision took into consideration the fact that AIA had voluntarily notified the PDPC of the breach and also managed to retrieve 243 letters unopened.

 
 
 

One letter was lost in transit, while the last was sent to the correct recipient.

In a statement, AIA said that it would the pay the fine as directed.

The spokesman said: "This was a technical error that occurred in 2017, which we take full responsibility for... We take this incident as learning, and have further strengthened our internal processes to avoid such incidents happening again."

The letters were subsequently reprinted and resent to the intended recipients with the deadlines in their respective letters extended.

AIA also implemented a software function in its records system that checks and validates dispatch addresses printed on auto-generated letters daily.

AIA also ran afoul of the PDPA in March, when one of its Web portals containing the personal information of more than 200 people was found to be accessible publicly.