NRIC numbers remain personal data, should not be widely circulated: Josephine Teo

NRIC numbers remain a form of personal data, and should be collected and used only when necessary, said Digital Development and Information Minister Josephine Teo in Parliament on Jan 8.

Organisations that collect NRIC numbers still have a duty of care, and must notify and seek consent on the use of the data and protect it, she said in a ministerial statement to answer more than 50 questions from MPs over the recent wide-scale exposure of NRIC numbers.

“These are existing guidelines that will not change,” she added.

The Accounting and Corporate Regulatory Authority (Acra) had caused a storm among the public after launching its new Bizfile portal on Dec 9 that allowed the full NRIC numbers of registered people on its database to be retrievable for free via its search function. 

The feature was taken down on Dec 13 in the light of public backlash. 

Mrs Teo acknowledged the concerns raised by the public and said: “The recent Bizfile incident is unfortunate. Without intending to, it led the public to believe that the Government is changing its policy to allow full NRIC numbers to be exposed on a wide scale.

“This is not the case.” 

Mrs Teo added: “We take the public’s concerns seriously and are very sorry for the mistake that caused them much anxiety.” 

Some MPs asked about the rationale behind the plan to stop the practice of masking NRIC numbers and whether the number is still considered confidential.

Others asked about what private organisations should do, and whether the mishandling of NRIC numbers by private firms was still considered a data breach. MPs also asked about measures in place to protect citizens from an increased likelihood of impersonation scams.

Incorrect use of NRIC number

Responding, Mrs Teo said that NRIC numbers are a means to identify individuals, but some organisations have wrongly used the numbers as a means of authentication – which assumes that a person is who he claims to be simply because he can cite an NRIC number. Some organisations even grant a person access to privileged information or services. 

“When used this way, my NRIC number is no longer just an (identifier) but a key to unlock more information or services,” said Mrs Teo. “This is clearly inappropriate.”

Another example is when some organisations collect and use partial NRIC numbers – typically the last four characters of an individual’s NRIC number.

“They think that this is safe, and that revealing only the last four characters still keeps the full NRIC number secret,” said Mrs Teo, adding that the use of masked NRIC numbers had become more common even within public agencies.

Some individuals also used their NRIC numbers as their passwords, believing that they are secret, she said.

But today, algorithms available online can easily decipher the full NRIC number from partial or masked numbers, said Mrs Teo, responding to security concerns raised by Dr Tan Wu Meng (Jurong GRC).

The availability of such algorithms means that the continued use of partial or masked NRIC numbers gives organisations and individuals a false sense of security, said Mrs Teo.

“This does not really keep the full NRIC number secret,” she said. “This also makes the practice of using NRIC numbers as passwords even more inappropriate.”

The Government moved first to stop the incorrect use within the public sector, and asked agencies to stop using the NRIC number as an authenticator or password, said Mrs Teo.

Plans went forth within the public sector first as a test bed to understand potential challenges of implementing the changes before moving to the private sector, she said.

“We knew this transition would take time,” she said. “But it was better to start while the problem is relatively contained, and for the Government to take the lead.”

She added: “We also asked agencies not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.”

Mrs Teo also clarified that the NRIC number is used as an identifier and not a password on national digital identity app Singpass, responding to a question by Non-Constituency MP Hazel Poa.

The NRIC number is set as a default user ID, but users are allowed to change their user ID to something else, Mrs Teo said, acknowledging that not many users may be aware of this.

NRIC cards, in their physical form or digital form on the Singpass app, remain an acceptable means of authentication, said Mrs Teo in reply to Workers’ Party chairwoman Sylvia Lim (Aljunied GRC).

Both the physical and digital NRIC cards include additional information, such as a photo, that can be used to verify the person presenting the card.

Instructions for the private sector

Private sector organisations that are using NRIC numbers as a means of authentication or as a default password should stop doing so as soon as possible, said Mrs Teo.

Insurance companies, for example, often use partial NRIC numbers and birthdates as an automated default password to allow customers to access private documents. Insurers and banks are in the midst of reviewing their processes.

Organisations that collect partial NRIC numbers to identify people can continue to do so as those guidelines for doing so have not yet changed, said Mrs Teo, adding that changes will be introduced only after consulting the public.

“We aim to start consultations soon and will provide details when ready.”

Early talks with private sector players suggest several approaches to data collection, Mrs Teo said. Some organisations that use partial NRIC numbers can replace them with other means of identification, such as contact numbers, or drop them entirely, she said.

But some organisations justifiably rely on the collection of full NRIC numbers even if they are not required to by law.

Pre-school centres, for instance, prefer to collect full NRIC numbers of visitors rather than just the mobile numbers, as parents feel more secure, said Mrs Teo.

Individuals applying for substantial financial aid from various organisations will also need to be accurately identified, she added.

WP MP Louis Chua (Sengkang GRC) asked if the Government had a timeline for public healthcare and private financial institutions to stop the practice of using NRIC numbers for authentication.

NRIC numbers can be used to reveal addresses and clinic records at e-kiosks in local healthcare institutions, and to freeze bank accounts. Insurers have also used partial NRIC numbers as part of default passwords for customers to access private documents.

Mrs Teo said that the Association of Banks in Singapore has said that banks do not have the practice of using NRIC numbers as the sole factor of authentication, but the authorities will do their part to check, given the large number of companies involved.

What should individuals do?

Mrs Teo urged individuals to be wary of trusting unsolicited callers simply because they are able to recite their NRIC number.

She said: “If someone we don’t recognise calls out our name and starts to behave as though they know us well, we would be slightly suspicious. We might be polite, but not too friendly.

“Certainly, we should not fully trust this person just because they know our name.”

Those who have used their NRIC number as a password to access any information or service should change the password immediately, she said.

If individuals and organisations stop the use of NRIC numbers as a means of authentication, it will go a long way to prevent fraud, said Mrs Teo, in reply to concerns about the risk of scams following Acra’s disclosure of the NRIC numbers.

She said: “Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harm themselves, such as transferring money, without further checks.

“Very few cases have involved scammers directly using NRIC numbers to unlock access to valuables.”

Mrs Teo said: “By taking action as soon as possible, we can increase protection for all of us. This will allow us to more confidently use the full NRIC number as a unique identifier whenever we need to do so.”

The authorities will also speed up efforts to educate the public on best practices in handling data and to stop incorrect practices.

“We had also planned to mount a major effort to help Singaporeans be aware of the risks and to support efforts to stop incorrect practices,” said Mrs Teo.

“The Bizfile incident was an unfortunate misstep, which now means these plans need to be brought forward.”

How should individuals and the private sector handle NRIC numbers?

While Singapore is moving away from the use of masked NRIC numbers, it does not mean that they should be widely shared.

Here are some pointers from Digital Development and Information Minister Josephine Teo’s ministerial statement for individuals, private sector organisations and public agencies, following the widespread disclosure of NRIC numbers on the Accounting and Corporate Regulatory Authority’s Bizfile portal in December.

Individuals

Individuals who include parts of their NRIC number in their passwords should update them immediately to make it harder for fraudsters to exploit those numbers to access privileged information or services.

Those who have used their NRIC number as a password to access any information or service have wrongly used it as an authenticator.

Modern technology has made it easy to decipher the full NRIC number from a partial or masked number, making its use vulnerable.

Do not simply trust anyone who can recite your NRIC number as it could be a fraudster, said Mrs Teo, who added: “We should be cautious about revealing more about ourselves, or saying ‘yes’ to their requests, or following their instructions, without checking further.”

For extra security, Singpass users can change their user ID from their NRIC number, which is set by default, to something else.

Private organisations

Organisations that use NRIC numbers as a means of authentication or as part of a default password should stop doing so as soon as possible.

This process is not to be confused with the use of a physical or digital NRIC card, which is accepted as a means of authentication because it contains other information such as the individual’s photo and fingerprint that can be used to verify the person holding the card.

In short, NRIC cards can be used for authentication, but NRIC numbers alone should not.

Where necessary, organisations may continue to collect NRIC numbers, which remain classified as personal data that requires protection. Mrs Teo said companies that collect them must exercise a duty of care to protect the data and seek consent from individuals on its use, where required under the law.

The collection of full NRIC numbers is justifiable as a way to identify people in some instances, such as when financial aid is being disbursed.

Private sector firms that collect partial NRIC numbers to identify people can continue doing so as the guidelines for the private sector are unchanged for now, before consultations with the public.

Public sector

All public sector agencies have stopped using NRIC numbers as authenticators, following the Ministry of Digital Development and Information’s internal circular that was sent in July, said Mrs Teo.

The Government moved first to update the way that NRICs are used within the public sector, and asked agencies to stop using the NRIC number as an authenticator or password, she said.

Government agencies will still ask individuals for their full NRIC numbers where necessary, such as when applying for subsidies or benefits, said Mrs Teo, who added that each use merits its own considerations.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

Review of Acra NRIC unmasking incident likely to be completed in Feb, findings to be made public