AIA, an insurance company based in Singapore, has been fined SG $10,000 by the Personal Data Protection Commission (PDPC). According to sources, AIA wrongfully sent letters meant for 245 individuals to just two of its customers. The company also experienced another breach in March 2019.
Based on a report released by Straits Times, the company mistake stemmed from a programming error in the system. The software designed to fix previous concerns within the system paved the way for writing the wrong dispatch addresses.
The letters contained insurance reminders, with 237 of these belonging to integrated shield plan premium notices. Meanwhile, three of these are payor correspondences while one mail is concerned with modified terms and coverage. One letter reportedly became lost in transit, while one letter found its way to the rightful owner.
According to Insurance Business Asia, the letter contained personal information from consumers. These include policy numbers, premium accounts, full names, and due dates of the recipients. All of these details remain under the Integrated Shield Plan of AIA.
Based on the findings of Marketing Interactive, AIA generated the correspondences on December 22 and December 27, 2017. The two unnamed customers received the letters between December 28, 2017, and January 2, 2019. The first customer received 179 notices, while the second client received a total of 66 memos.
AIA became aware of the accident after the first customer posted about the incident on social media notes Straits Times.
Apart from the letter mishap, the AIA insurance company also experienced another data breach. The privacy leak impacted the firm in March 2019. Insurance Business Asia reports that personal information of both current and former agents is available on a server. Over 200 agents became affected by the leak, compromising privacy and personal data.
Following the succession of breaches, deputy commissioner Yeong Zee Kee of PDPC said AIA failed to think ahead. The representative also said that the Singapore-based firm violated section 24 of the Personal Data Protection Act 2012. This necessitates that companies should protect information to “prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.”
After experiencing one data leak after another, the AIA released a statement acknowledging its fault. The spokesman said, “This was a technical error that occurred in 2017, which we take full responsibility for.” The spokesman also notes that this incident “further strengthened our internal processes to avoid such incidents happening again.”