Compliance & Regulation

PDPC issues warnings to AXA and NTUC Income

The Personal Data Protection Commission Singapore has issued NTUC Income and AXA Insurance with warnings for ailing to put in place reasonable security arrangements to prevent the unauthorised disclosure of personal data that they hold.

In mid-2019, the Personal Data Protection Commission (PDPC) received a complaint against AXA Insurance about an about an email sent with a scanned document which contained the names, NRIC numbers, insurance policy numbers and the details of the servicing agents of 87 policyholders to the individual who issued the complaint to the PDPC.

AXA Insurance admitted that during scanning of documents by its employees, it did not have a process to segregate documents intended for internal record purposes from documents for customers, according to a document published by the PDPC.

The customer care specialist, as termed by the PDPC report, at AXA Insurance also failed to check the Attachment before sending out the Email.

The PDPC came to the conclusion that these lapses in processes resulted in the incident which resulted in the complaint. The warning thus has come as a consequence of the PDPC coming to the conclusion that AXA Insurance had failed to make reasonable security arrangements to protect the personal data of its policyholders from inadvertent disclosure by its employees.

In regard to the warning against NTUC Income, the PDPC was notified that the notifying individual had received automated acknowledgement emails attached with files containing personal data of other individuals.

The issue stemmed from NTUC Income’s update to its online enquiry application which allowed user to upload supporting documents alongside their enquiries.

When a user uploaded a file when making an enquiry, NTUC Income’s application assigns a variable to the file to allow it to be identified. However, due to a coding error, if the next individual submitting a query did not attach a file, the variable generated for the preceding user’s enquiry was attached to the subsequent user’s submission, thus resulting in the supporting documents uploaded by the first user being associated with the subsequent user(s)’ enquiry.

This coding error manifested in the sending of acknowledgement emails, which were intended to include supporting documents submitted by the user.

When the acknowledgement email was sent to subsequent users, the files submitted with a previous enquiry (containing an attachment) would be sent to the subsequent users in the acknowledgement email.

This coding error resulted in the files uploaded by 17 users being distributed to a further 123 users, via. the afflicted acknowledgement emails. The files contained the uploading users’ personal data, such as names, policy numbers, premium amounts, sum assured and period of coverage, email and mailing addresses.

NTUC Income has subsequently admitted that the error was due to poor coding; the PDPC has concluded that such error should have been caught prior to the soliton being made live, during the manual code review process. The incident was the product of what could be regarded as insufficient scenario testing by NTUC Income.

NTUC Income has since committed to improving checks on coding quality by replacing its manual code review process with tools such as Crucible, a collaborative code review application, and SonarQube, a tool for the continuous inspection the code quality and security of codebases.

NTUC Income was found to have breached the Protection Obligation under section 24 of the Personal Data Protection Act 2012, and thus was issued with a warning, with NTUC Income having already implemented corrective measures.