AIA Singapore slapped with SG$10k fine for data breach

AIA Singapore has received a penalty of SG$10,000 by the Personal Data Protection Commission (PDPC) for failure to take “reasonable” security arrangements in its letter generation process. This comes after 245 letters meant for various customers that the insurance company generated on 22 and 27 December 2017 were sent to two customers.These letters comprised four integrated shield plan premium notice reminder letters, 237 integrated shield plan premium notice letters, three change of payor letters and one modified terms of coverage letter. These letters were sent to the two customers between 28 December 2017 and 2 January 2018, the first customer receiving 179 letters while the latter received 66.AIA Singapore was informed of this error on 30 December 2017 from a social media post by the first customer and took remedial actions to mitigate the damage caused and to prevent the recurrence of similar incidents. According to a case document seen by Marketing, the insurance company had implemented a software fix to resolve the error in the system, validated and matched the despatch addresses printed on the automatically generated letters, and also retrieved 243 unopened letters which was then printed and re-sent to the customers concerned.In a statement to Marketing, an AIA spokesperson said it takes full responsibility for the technical error in 2017 and admits to taking immediate steps to retrieve all the wrongly addressed letters, with the exception of one letter which was determined to have been lost in transit. Taking this incident as a learning, the spokesperson added that the company has strengthened its internal processes to avoid such incidents from happening again.“At AIA Singapore, we are serious about safeguarding confidential information entrusted to us, and will continually strive to better serve our customers,” she said.According to PDPC, AIA Singapore had potentially compromised policyholders’ personal data due to wrong mailing and thus is in breach of section 24 of Personal Data Protection Act 2012 (PDPA). The law requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. After an investigation, PDPC concluded that AIA Singapore did not conduct sufficient testing before rolling out the fix for the initial system error and did not institute sufficient controls or checks to ensure the accuracy of the letters that the system automatically generated.In March this year, approximately 200 current agents, former agents and their family members’ personal information on AIA Singapore’s web portals were publicly accessible. The insurance company was notified of the system issue on 27 February and had page taken down. An AIA spokesperson told Marketing then that it was an isolated incident and that the company is committed to taking actions to ensure that it does not happen again.