SP Group under probe over leak of personal data

Electricity provider sent out advisory that exposed more than 700 e-mail addresses

Singapore's privacy watchdog is currently investigating electricity provider SP Group after it sent out an advisory that exposed more than 700 e-mail addresses.

In a Facebook post on Thursday, SP Group said it had sent a group of customers an e-mail which showed the e-mail addresses of all recipients, and that no other personal information was exposed.

A spokesman for the Personal Data Protection Commission (PDPC) said it was aware of the matter and was looking into it.

The Straits Times understands that the advisory was meant to notify customers that they had to update their user IDs for their SP Group accounts, as its website will no longer accept NRIC or FIN numbers for account logins from Sept 1.

This is in line with the deadline to comply with the PDPC's advisory guidelines on NRIC and other identification numbers.

"We are sorry about this mistake and have notified the affected customers," said SP Group in a reply to ST queries. "We are strengthening controls and processes to prevent this from happening again."

A lawyer from Pinsent Masons MPillay specialising in technology law and data protection, Mr Bryan Tan, said the slip-up could be a breach of the Personal Data Protection Act, which protects the personal data of consumers from being misused or exposed.

"PDPC has specifically advised that companies have to implement procedures to ensure all e-mails sent externally to a group of recipients have the recipients' e-mail addresses placed in the BCC field to avoid disclosing recipients' e-mail addresses to all other recipients of the e-mail," he said.

Mr Tan also pointed out that this was a case of "history repeating itself". Last month, electricity retailer Geneco also exposed the personal e-mail addresses of more than 350 of its potential customers. And earlier this month, Swedish retailer Ikea apologised to affected customers in Singapore after it inserted 410 individual e-mail addresses in the wrong message field of a promotional mailer and sent it out.

Said Mr Tan: "Organisations can easily procure add-ins for their e-mail software to force users to check e-mails before sending out".

Under the Personal Data Protection Act, organisations found flouting Singapore's privacy laws can be fined up to $1 million.

A version of this article appeared in the print edition of The Straits Times on August 31, 2019, with the headline 'SP Group under probe over leak of personal data'. Print Edition | Subscribe