NRIC saga: Review finds key Acra, MDDI shortcomings; no evidence of deliberate wrongdoing
Source: Straits Times
Article Date: 04 Mar 2025
Author: Irene Tham & Osmond Chia
A review panel flagged shortcomings that led to the mass disclosure of NRIC numbers of key business representatives and others on Bizfile’s database.
A review panel that investigated the disclosure of individuals’ full NRIC numbers on a government business portal has found no evidence of malicious intent or wilful wrongdoing.
But the panel, led by head of civil service Leo Yip, uncovered shortcomings by both the Accounting and Corporate Regulatory Authority (Acra) and the Ministry of Digital Development and Information (MDDI) in the incident.
The six shortcomings included security lapses at Acra that contravened the Government’s internal data management rules, and lack of clear communication between Acra and MDDI that led to full NRIC numbers being published on Acra’s refreshed business portal Bizfile in December 2024.
“In this incident, the public service did not perform to the level we set for ourselves. We should have done better, and this review contains important lessons which we will apply,” said the panel in its report released on March 3.
“More importantly, the lessons that the panel had identified will be disseminated across the whole of the public service, so that agencies can take these on board and similar incidents do not recur.”
The report was submitted to Prime Minister Lawrence Wong on Feb 26. In a letter issued to the media, he said he agreed with the assessment of the shortcomings as well as the learning points identified.
“The report sets out key lessons for the public service. The Government will take these lessons to heart, improve its processes, and strive to do better moving forward,” he said.
On Dec 9, 2024, Acra refreshed its Bizfile portal with a search feature that allowed the full NRIC numbers of registered people on its database to be accessed for free. The feature was taken down on Dec 13 after public backlash.
The panel said in its report: “While the panel did not find any factual evidence of deliberate wrongdoing or wilful inaction by the MDDI and Acra officers involved in this incident, it found several shortcomings by both Acra and MDDI in this incident, which should have been avoided.”
MDDI should have been clearer in its policy communications, it said, particularly in its July 2024 circular that went to all public agencies, requiring them to stop the use of NRIC numbers for authentication, and stop internal uses of masked NRIC numbers within the public sector.
This was to take place from Nov 1 that year, in line with a broader national policy intent to return NRIC numbers to their proper use as unique identifiers, by stopping the incorrect use of NRIC numbers for authentication.
The circular also informed agencies not to introduce any new uses of masked NRIC numbers, both internally and externally, with immediate effect.
According to the panel, “MDDI and Acra staff did not realise that Acra had misunderstood how the July 2024 (circular) applied to the new Bizfile portal”.
Acra’s refreshed Bizfile portal, which was meant to continue to display partial NRIC numbers alongside corresponding names in search results, was not considered a new use by MDDI. But Acra’s takeaway was different.
Also, the misinterpretation was not caught as two Acra staff involved in a follow-up MDDI briefing in mid-July did not disseminate the additional briefing materials to the project leads for the new Bizfile portal and Acra’s senior leadership.
The panel – which comprises the permanent secretaries of multiple ministries – found that Acra was the only agency that had misunderstood the July 2024 circular to the extent that it did.
The panel also found that Acra did not assess the proper balance between sharing full NRIC numbers and ensuring that they were not too readily accessible.
“This was a contravention of IM8, which Acra was required to comply with under the PSGA (Public Sector Governance Act),” said the panel in its report, titled “Report of the Review into the Public Disclosure of Full NRIC Numbers on Bizfile People Search”.
IM8 is a set of instructions that govern how public agencies collect, use and disclose citizens’ data. The public sector’s personal data protection standards in the PSGA and IM8 are aligned with the Personal Data Protection Act but have been adapted to the public service context.
Alternative designs for Bizfile should have been considered, said the report. One way is to require users to narrow their search by keying in additional parameters like the unique entity number of the associated business entity.
As for MDDI, it should have given more attention to the implementation plan for new uses of partial NRIC numbers that were more complex, such as public registries, the panel said in its report.
“The panel would like to emphasise the importance of agencies regularly assessing data security and protection risks, taking into account user needs and public concerns,” according to the report.
“When there is a new policy direction, agencies should reassess the adequacy and appropriateness of their system design and make comprehensive assessments of different options to meet the policy objective.”
The panel affirmed the broad policy intent to stop the incorrect use of NRIC numbers for authentication and move away from the use of partial NRIC numbers. This will be carried out in phases starting with the public sector and involving public consultations. “Doing so would better protect our citizens,” according to the report.
“The Public Service Division, MDDI and Acra will separately follow up to review the actions and responsibilities of the relevant individual officers. This will be conducted in accordance with the applicable accountability and disciplinary frameworks and processes in the respective public agencies involved,” the panel said.
The panel also acknowledged that the issue could have been better managed after public concerns surfaced. Acra should have disabled the People Search function sooner, and the response to the public should have been better coordinated and clearer.
“In hindsight, the Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, or disclosing them on a large scale,” the panel said.
On Feb 25, the panel submitted its report to Senior Minister and Coordinating Minister for National Security Teo Chee Hean, who is also Minister-in-charge of Public Sector Data Governance and oversees the Smart Nation and Digital Government Group.
SM Teo, in turn, submitted the report to PM Wong the next day.
SM Teo will deliver a ministerial statement on the report in Parliament on March 6, said the Prime Minister’s Office.
Apologising for its oversight, MDDI said in a statement on March 3: “In this incident, the public service did not perform to the level we set for ourselves.”
The ministry is preventing similar incidents by providing more guidance to government agencies on how the policy on NRIC numbers should be applied.
It has identified almost 800 existing uses of partial NRIC numbers in public-facing systems, including tenancy documents. It will also step up public education on the incorrect use of NRIC numbers.
Acra, in a joint response on March 3 with the Ministry of Finance, also apologised for the incident and said it is taking steps to address the shortcomings.
These efforts include conducting more regular risk reviews before, during and after major tech system changes. Acra also said it will strengthen its vendor oversight and launch user tests prior to new system launches.
MDDI and Acra said appropriate actions are being taken with the officers and leaders involved, including performance assessments with financial consequences and additional training.
6 missteps in Acra’s disclosure of full NRIC numbers in December 2024
A review panel investigating the disclosure of full NRIC numbers last December on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal published its findings on March 3.
The probe found no deliberate wrongdoing by the Ministry of Digital Development and Information (MDDI) or Acra, but flagged shortcomings that led to the mass disclosure of NRIC numbers of key business representatives and others on Bizfile’s database.
These are the key shortcomings highlighted:
1. MDDI should have been clearer
The report found that MDDI was not clear enough in its policy communications issued in July 2024 in a circular to various government agencies on plans to end the use of NRIC numbers for authentication and cease any new masked NRIC usage by Nov 1, 2024.
MDDI had written that agencies are to immediately cease any planned use of masked NRIC numbers, such as in new business processes or digital products.
In a question-and-answer section on what agencies should do with all the masked NRIC numbers currently in existing systems, MDDI said the agencies are not allowed to continue to use masked NRIC numbers in any of the internal government systems. “Agencies should either display the full NRIC number, or consider if there is even a need to use NRIC numbers.”
Given that this was a complex policy, MDDI should have been more precise and provided more context in the circular, the panel wrote, adding: “This would have helped agencies like Acra better interpret the (circular).”
It noted that MDDI made an effort to ensure the circular was understood by agencies, having engaged with nearly 50 agencies, including Acra, on their use of NRIC numbers.
Acra and MDDI had exchanged multiple e-mails on the topic without addressing the crux of the misunderstandings.
For instance, MDDI was not explicit that it considered Bizfile’s People Search tool an existing use, rather than a “planned use”, of partial NRIC numbers that would not be immediately stopped. In turn, Acra did not make clear its interpretation of MDDI’s instructions.
“Both agencies should have taken the initiative to discuss the matter in depth, given that there were important details to clarify and that the new Bizfile portal is a major public platform,” according to the report.
2. Insufficient sharing of information within Acra
Two officers from Acra who attended MDDI’s July 16 briefing and received meeting materials on the new policy should have ensured that the information was disseminated within Acra, especially to those who needed to act on the circular. “However, this was not done,” said the panel.
A frequently-asked-questions document that was shared with the officers would have alerted senior management to the fact that stopping the use of partial NRIC numbers did not mean showing full NRIC numbers in every case, and agencies could drop the use of NRIC numbers altogether.
The panel recommended that Acra review its processes to ensure there is sufficient dissemination of information within the organisation and to those who would require it to make informed decisions.
3. MDDI should have paid more attention to complex uses
MDDI should have given more guidance to more complex new applications – such as public registries – to help agencies understand how to stop the use of partial NRIC numbers and decide if full NRIC numbers were necessary, the panel reported.
Although Bizfile’s People Search function was an existing-use case – rather than a new application, as Acra had thought – it was a more complex use of NRIC numbers that warranted closer guidance by MDDI, the report said.
4. Poor risk assessment by Acra
The panel found that Acra misjudged the need for corporate checks through Bizfile at the expense of privacy, making personal data too easily accessible.
Acra applied its incorrect interpretation of MDDI’s message to its existing Bizfile design without adapting it to the purposes of the People Search function, which is primarily to help users narrow down which profile to purchase, such as to identify an individual who might have the same name as others.
The panel said Acra should have explored alternative People Search designs in the new Bizfile portal, ensuring that users could retrieve only the necessary data – such as by requiring extra search parameters like a Unique Entity Number.
The report noted that although Acra was aware of the risks of displaying full NRIC numbers, it did not adequately consider other designs, as the new Bizfile portal was in its final stages of development when MDDI’s new directions were introduced in July.
Acra should have considered if there was a need for Bizfile users to view the NRIC numbers in full.
The incident took place before public education efforts had begun on the proper use of NRIC numbers as a unique identifier, exacerbating concerns when the full NRIC numbers were easily retrievable on Bizfile, said the report, adding that MDDI should have started public engagement earlier than it had planned.
5. Security features on Bizfile lacking
Some cyber-security features that would have prevented users from collecting data from the Bizfile portal en masse were not adequately set up when the portal was launched on Dec 9, the panel found.
This included the Captcha function, a common pop-up that challenges users to decipher stretched letters or other tests to tell apart real users from automated users such as bots.
Acra asked its IT vendor to resolve the issue urgently, and it was fixed by the time the People Search function resumed on Dec 28.
The IT vendor was not named in the report.
At least 500,000 queries were made on People Search between Dec 9 and 13, higher than the usual daily traffic of up to 3,000 queries, the report wrote, adding that the searches came from some 28,000 IP addresses, most of them overseas.
The report noted that Acra was not able to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function.
6. Poor communication with the public
Acra should have disabled the People Search function sooner and, along with MDDI, should have acted faster to lay down the key facts on how the incident happened, after public concerns surfaced on Dec 12, said the report.
It took Acra and MDDI some time to figure out the misunderstanding of MDDI’s instructions and whether there were alternatives to halting the People Search function.
The panel said the agencies should have paid more attention to the disclosure of NRIC numbers first, even as they clarified MDDI’s July instructions.
“Doing so could have helped the agencies to decide and disable the People Search function earlier,” said the report.
The panel added that the agencies should have done better in their response to the public. Various officers in the agencies were responding to public queries without close coordination, said the panel, urging the agencies to review their processes for handling public feedback.
There is room for improvement in how the agencies handled public communications on the correct use of NRIC numbers, the report added.
The Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, nor was it the Government’s intention to disclose full NRIC numbers on a large scale.
The review panel wrote: “Doing so would have helped to reassure the public that NRIC numbers remain personal data, which should only be collected, used or disclosed when there is a need to do so.”
Source: The Straits Times © SPH Media Limited. Permission required for reproduction.
777