3 big insurance brands fined by PDPC for customer data breach

AIG Asia Pacific, AVIVA and NTUC Income have been fined by the Personal Data Protection Commission for the personal data breach of its customers. The brands were fined SG$9,000, SG$30,000 and SG$10,000 respectively for breaches relating to mailing of printed customer information.

AIG’s data breach occurred in June last year when it placed an incorrect facsimile (fax) number on its policy renewal notices addressed to policyholders. The incorrect fax number belonged to Japanese departmental store Tokyu Hands Singapore. This saw policyholders faxing their renewal notices to the latter instead of AIG, resulting in the data breach.

In the same month, NTUC Income printed a batch of 426 client letters, a majority of which were sent to remind clients to pay their insurance premiums. It was later informed by several clients that they received a policy letter addressed to them, with a letter addressed to another client on the reverse of the same letter. The personal data breached includes information such as names, residential addresses and policy information.

Meanwhile, AVIVA was fined for mistakenly mailing out underwriting letters meant for three different clients to another single client. This was similar to a previous incident the year before, which saw the insurance brand being fined SG$6,000 the first time.

Following the breaches, the PDPC has also released a new guide to printing processes to ensure organisations and print vendors to have in place adequate measures in its printing processes, to protect the personal data in its possession and/or control against unintended disclosure.

Read also: 
PDPC looks to merge the Do Not Call and Spam Control Act under new law
SPH issues apology over HardwareZone data breach affecting 685,000 users
PDPC fines ION Orchard owners SG$15,000 for customer data breach
PDPC cracks down on erring companies
MAS warns UOB about incorrect data disposal