Breach of the Protection Obligation by FWD Singapore

Breach of the Protection Obligation by FWD Singapore

7 Aug, 2020

A warning was issued to motor insurance company FWD Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of 71 individuals.

On 26 July 2019, the Personal Data Protection Commission (PDPC) was notified by FWD Singapore Pte Ltd of the unintended disclosure of 71 individuals’ personal data, contained in 42 payment advice letters sent to incorrect recipients between 20 June and 17 July 2019.  

The incident arose from the organisation’s attempt to fix a logic error in the system that it used to generate payment advice letters. This led to another logic error. The second error caused the extraction of incorrect mailing addresses for payment advice letters in some circumstances. This resulted in the affected individuals’ names and identification numbers being sent to incorrect addresses. 

The Commission found that the second logic error could have been detected if manual code review and unit testing had been conducted. Thus, the Commission found the organisation in breach of its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (PDPA). 

The Commission took into account the following factors in its decision: 

a. The organisation had managed to retrieve letters containing the personal data of 67 out of the 71 affected individuals. 

b. The organisation voluntarily notified the Commission of the Incident. 

c. The second logic error resulted in the extraction of incorrect mailing addresses only in limited circumstances. 

Hence, PDPC issued a warning to FWD Singapore. No directions were required as the organisation took steps to improve its development processes to prevent the incident from recurring.


Adapted from:

Breach of the Protection Obligation by FWD Singapore

by Shermaine Ang

Edited by Leong Wai Chong, CIPM, GRCP



Become a DPEX Community member to access
data protection resouces and discussions on pertinent topics now.

Access online / in-person courses and view past training records

Join lively discussions on pertinent data protection topics

Gain access to data protection research and video resources

Receive value-added data protection updates from the region

  Related Articles
Recommendations of Public Sector Data Security Re…

In the wake of major breaches, the Public Sector Data Security Review Committee…

Care in Using Zoom Video Conferencing

Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Y…

Additional offences under the PDPA that could get…

On Thursday 14 May 2020, the Ministry of Communications and Information and the…