Breach of the Protection Obligation by FWD Singapore

A warning was issued to motor insurance company FWD Singapore for failing to put in place reasonable security arrangements to prevent the unauthorised disclosure of the personal data of 71 individuals.

On 26 July 2019, the Personal Data Protection Commission (PDPC) was notified by FWD Singapore Pte Ltd of the unintended disclosure of 71 individuals’ personal data, contained in 42 payment advice letters sent to incorrect recipients between 20 June and 17 July 2019.  

The incident arose from the organisation’s attempt to fix a logic error in the system that it used to generate payment advice letters. This led to another logic error. The second error caused the extraction of incorrect mailing addresses for payment advice letters in some circumstances. This resulted in the affected individuals’ names and identification numbers being sent to incorrect addresses. 

The Commission found that the second logic error could have been detected if manual code review and unit testing had been conducted. Thus, the Commission found the organisation in breach of its Protection Obligation under section 24 of the Personal Data Protection Act 2012 (PDPA). 

The Commission took into account the following factors in its decision: 

a. The organisation had managed to retrieve letters containing the personal data of 67 out of the 71 affected individuals. 

b. The organisation voluntarily notified the Commission of the Incident. 

c. The second logic error resulted in the extraction of incorrect mailing addresses only in limited circumstances. 

Hence, PDPC issued a warning to FWD Singapore. No directions were required as the organisation took steps to improve its development processes to prevent the incident from recurring.

Adapted from:

Breach of the Protection Obligation by FWD Singapore

by Shermaine Ang

Edited by Leong Wai Chong, CIPM, GRCP