A warning was issued to motor insurance company FWD Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of 71 individuals.
On 26 July 2019, the Personal Data Protection Commission (PDPC) was notified by FWD Singapore Pte Ltd of the unintended disclosure of 71 individuals’ personal data, contained in 42 payment advice letters sent to incorrect recipients between 20 June and 17 July 2019.
The incident arose from the organisation’s attempt to fix a logic error in the system that it used to generate payment advice letters. This led to another logic error. The second error caused the extraction of incorrect mailing addresses for payment advice letters in some circumstances. This resulted in the affected individuals’ names and identification numbers being sent to incorrect addresses.
The Commission found that the second logic error could have been detected if manual code review and unit testing had been conducted. Thus, the Commission found the organisation in breach of its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (PDPA).
The Commission took into account the following factors in its decision:
a. The organisation had managed to retrieve letters containing the personal data of 67 out of the 71 affected individuals.
b. The organisation voluntarily notified the Commission of the Incident.
c. The second logic error resulted in the extraction of incorrect mailing addresses only in limited circumstances.
Hence, PDPC issued a warning to FWD Singapore. No directions were required as the organisation took steps to improve its development processes to prevent the incident from recurring.
by Shermaine Ang
Edited by Leong Wai Chong, CIPM, GRCP
Access online / in-person courses and view past training records
Join lively discussions on pertinent data protection topics
Gain access to data protection research and video resources
Receive value-added data protection updates from the region
In the wake of major breaches, the Public Sector Data Security Review Committee…
Wikipedia tells us that Zoom Video Communications was founded in 2011 by Eric Y…
On Thursday 14 May 2020, the Ministry of Communications and Information and the…