Singapore’s Personal Data Protection Commission (PDPC) has fined AIA SG$10,000 after a data breach where letters meant for 245 customers were all delivered to two people.
Almost all (237) of the letters, which contained the full names, policy numbers, premium amounts, and due dates of the intended recipients, were premium notice letters for the insurer’s Integrated Shield Plan.
The letters were sent out between December 28, 2017 and January 02, 2019, with the first recipient receiving 179 letters, while the second got 66. The mix-up, according to AIA, was caused by a programming error in the software that generates the letters and recipient addresses. The error was caused by a fix that AIA had applied to remedy a previous one.
In March, AIA was hit by another data breach, after it was discovered that personal information of over 200 of its former and current agents was publicly accessible on a server.
In a statement by the PDPC, it said that it had found AIA in breach of section 24 of the Personal Data Protection Act 2012. The law requires all organisations to “protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
According to Yeong Zee Kin, deputy commissioner of the PDPC, AIA failed to conduct sufficient testing before rolling out the fix for the first system error and was unable to institute sufficient controls or checks to ensure the accuracy of the letters that the system automatically generated.
The insurer acknowledged the error, and said that it would pay the fine.
“This was a technical error that occurred in 2017, which we take full responsibility for,” a spokesman for the company was quoted as saying by the Straits Times. “We take this incident as learning, and have further strengthened our internal processes to avoid such incidents happening again.”