An insurance company sent customer’s personal data via unencrypted email
The Complaint
The complainant took out a pet insurance policy provided by an insurance company (“the Insurance Company”). When submitting a claim through the Insurance Company’s online customer portal, the complainant uploaded an image of his bank card for the purpose of receiving reimbursement. Subsequently, the complainant received an unencrypted email from a representative of the Insurance Company in which his full name and complete bank account number were shown in plain text in the content of the email. The complainant considered that the transmission of sensitive data via email is an insecure means in particular that the staff of the Insurance Company did not encrypt his bank account information before sending the email. As a result, the complainant lodged a complaint with the PCPD alleging matters including that the Insurance Company had not taken adequate security measures to protect his personal data.
Outcome
According to the Insurance Company, its established workflow required employees to take sensible precautions to ensure the security of data. The Insurance Company admitted that the case stemmed from the staff’s failure to comply with its relevant internal guidelines resulting in the sensitive personal data in the email not being masked.
After the PCPD’s intervention, the Insurance Company implemented several remedial measures, including providing training to employees on personal data privacy, deploying “the Personal Identifiable Information (PII)” filter in its email system to intercept messages containing sensitive data, and automatically adding a reminder message to outgoing emails sent to external parties to prevent similar incidents from recurring. The PCPD also issued a warning letter to the Insurance Company in response to the incident.
Lesson learnt
This case sheds light on the potential threat of human errors to personal data security. The Insurance Company acknowledged that while there were established internal procedures in place, oversight in their execution by staff could still lead to customer data leakage. As insurers handle a significant amount of sensitive information during claims processing, constant vigilance is essential. Given the risk of email interception, eavesdropping, or wrong transmission, it is crucial to take prevention measures such as masking or encrypting any sensitive personal information for emails involving bank accounts and identity card numbers. Having guidelines in place alone has proven to be insufficient to completely eliminate the risk of leakage. Therefore, in addition to providing continuous training to frontline staff to ensure that they uphold a prudent attitude in handling customers’ personal data, organisations should also actively introduce technological support measures. Appropriately applying automated features, such as the PII filter in this case, to compensate for human oversight is the way to establish multiple layers of defense mechanisms to reduce the risk of data leakage and build a robust information security network in the digital age.
(Uploaded in March 2026)