FWD Singapore warned over data breach

Personal data was leaked through payment advice letters.

Singapore’s Personal Data Protection Commission (PDPC) has warned FWD Singapore for failing to prevent the unauthorised disclosure of personal data contained in payment advice letters.

In a decision, the insurer was found in breach of Protection Obligation under section 24 of the country’s Personal Data Protection Act 2012.

On 26 July 2019, FWD notified PDPC of a leak of 71 individuals’ personal data through 42 advice letters sent to incorrect recipients between 20 June and 17 July. It stemmed from an attempt to fix a logic error in the system it used to generate the letters.

A second logic error resulted in the extraction of wrong mailing addresses for advice letters in some circumstances. This could have been detected if manual code review and unit testing had been conducted to a reasonable standard, the PDPC said.