SINGAPORE - Insurance company AIA is running a check on all its systems after one of its Web portals, which contained the personal information of more than 200 people, was found to be publicly accessible.
When The Straits Times visited the portal on Wednesday (Feb 27), it was found to contain the names, NRIC numbers, genders, dates of birth and contact numbers of 225 AIA agents, former agents and their family members, including children as young as two.
Singapore's privacy watchdog, the Personal Data Protection Commission, said it was aware of the incident and is investigating.
In response to ST queries, an AIA spokesman said on Thursday that it is currently in the process of notifying the people whose information may have been compromised.
It is also informing them that the company has taken steps to "ensure their information is protected".
He added that AIA became aware of the issue on Wednesday when a member of the public was able to access the Web portal.
Although the portal had been discontinued, it was still up online and publicly accessible. It has since been taken down.
"Our Information Security team located the source of this information and the site was immediately taken down. At this point in time, we believe the information was only accessed by the individual who notified us about it," said the spokesman.
"AIA Singapore takes our responsibility to protect our agents' and customers' data privacy very seriously. We are running a comprehensive check of all our systems as an additional safety measure."
On Friday, AIA said it was still in the process of contacting these affected individuals.
According to the spokesman, there was a maximum exposure of 623 records, which belonged to 225 AIA agents, former agents, and their next of kin.
But, despite repeated queries from ST, the company did not provide details about when the portal appeared, what purpose it served, how long it remained publicly accessible and why it gave the public access to the data.
Mr Joseph Gan, CEO and co-founder of security solutions firm V-Key, said that in the wrong hands, such personal data could allow hackers to commit identity fraud and impersonate the people affected.