Privacy watchdog PDPC probing SP Group after 706 e-mail addresses exposed

SP Group said it had sent a group of customers an e-mail which showed the e-mail addresses of all recipients, and that no other personal information was exposed.
SP Group said it had sent a group of customers an e-mail which showed the e-mail addresses of all recipients, and that no other personal information was exposed.PHOTO: ST FILE

SINGAPORE - Singapore's privacy watchdog is currently investigating electricity provider SP Group after it had sent out an advisory that exposed more than 700 e-mail addresses.

In a Facebook post on Thursday (Aug 29), SP Group said that it had sent a group of customers an e-mail which showed the e-mail addresses of all recipients, and that no other personal information was exposed.

A spokesman for the Personal Data Protection Commission (PDPC) said that it was aware and was looking into the matter.

The Straits Times understands that the advisory was meant to notify customers to update their user ID for their SP Group accounts, as its website will no longer accept NRIC or FIN numbers for account logins from Sept 1.

This is in line with the deadline to comply with the Personal Data Protection Commission's advisory guidelines on NRIC and other identification numbers.

"We are sorry about this mistake and have notified the affected customers," said SP Group in a reply to ST queries.

"We are strengthening controls and processes to prevent this from happening again."

Mr Bryan Tan, a lawyer from Pinsent Masons MPillay specialising in technology law and data protection, said the gaffe could be a breach of the Personal Data Protection Act, which protects the personal data of consumers from being misused or exposed.

"PDPC has specifically advised that companies have to implement procedures to ensure all e-mails sent externally to a group of recipients have the recipients' e-mail addresses placed in the BCC field to avoid disclosing recipients' e-mail addresses to all other recipients of the e-mail," he said.

Mr Tan also pointed out that this was a case of "history repeating itself". Last month, electricity retailer Geneco had also exposed the personal e-mails of more than 350 of its potential customers.

 
 
 
 

And earlier this month, Swedish retailer Ikea apologised to affected customers in Singapore after the company inserted 410 individual e-mail addresses in the wrong message field of a promotional mailer and sent it out.

Said Mr Tan: "Organisations can easily procure add-ins for their e-mail software to force users to check e-mails before sending out".

Under the Personal Data Protection Act, organisations found flouting Singapore's privacy laws can be fined up to $1 million.

In a separate Facebook post on Wednesday, SP Group had warned consumers against scammers impersonating it to gain personal information.

SP Group said it had received reports of scammers sending e-mails to customers, telling them they were mistakenly overcharged. The scammers then direct them to click on a link leading to a fake website, where they are prompted to enter their personal details.

"These messages are not from SP Group," the provider had said.

"SP Group does not request customers to verify their personal information by clicking on an e-mail link of this nature."