Singapore's PDPC warns AXA, NTUC over data breaches

Policyholders' personal data were sent over emails to unintended recipients.

The Personal Data Protection Commission (PDPC) has warned AXA Insurance and NTUC Income of separate breaches involving the personal data of policyholders.

Acting on a July 2019 complaint, PDPC scolded AXA after a document containing personal data of 87 policyholders was sent as an email attachment to the wrong recipient, PDPC stated in a memo

The document included names, National Registration Identity Card (NRIC) numbers, insurance policy numbers, and details of servicing agents.

AXA admitted that it did not have a process that segregates documents intended for internal record purposes from documents for customers. Its customer care specialist also failed to check the attachment before sending out the email.

NTUC was warned after users received automated acknowledgment emails containing attached files of personal data of other individuals. The emails were received by users making enquiries on the insurer’s website.

NTUC attributed the breach to poor quality codes and said that it has since sought to improve checks on coding quality by replacing its manual code review process with tools such as Crucible and SonarQube.