Review of Acra NRIC unmasking incident likely to be completed in Feb, findings to be made public

Head of Civil Service Leo Yip is leading a review to get to the bottom of how full NRIC numbers came to be revealed by the Accounting and Corporate Regulatory Authority (Acra) on its recently launched business portal.

It is reviewing the Government’s policy on the responsible use of NRIC numbers, as well as the disclosure of full NRIC numbers on a search function of Acra’s portal in December.

The panel is expected to complete its work in February, and the findings will be made public.

“For both matters, the panel will study what happened, how the decisions were made, the implementation and communication processes, the coordination across public sector agencies, and where the Government should have done and can do better,” said Second Minister for Finance Indranee Rajah in a ministerial statement in Parliament on Jan 8.

Acra had made available full NRIC numbers in its free People Search function on its new Bizfile portal launched on Dec 9, sparking public backlash. The function was eventually disabled on Dec 13.

Between Dec 9 and 13, the People Search function on the portal saw some 500,000 searches, much higher than the usual daily traffic of 2,000 to 3,000 queries.

The Government had said in December that it intended to change the practice of masking NRIC numbers, but the new portal was launched before the plans were announced to the public. It apologised for the anxiety caused, and explained that the error had occurred due to Acra’s misunderstanding of an internal government circular.

MPs filed more than 50 questions relating to the NRIC incident, including on accountability for the incident, the additional risks of identity theft and scams on Singaporeans, and how the Government will carry out public education on NRIC data practices. 

In her ministerial statement on Jan 8, Ms Indranee said the panel, which will report to Senior Minister Teo Chee Hean, will include permanent secretaries whose ministries are not involved in the NRIC policy or in the incident.

It also includes the permanent secretaries of the Ministry of Digital Development and Information (MDDI) and the Ministry of Finance, which oversees Acra.

The panel will recommend areas for improvement and, specific to the People Search function on Bizfile, it will look into the design and implementation of the search function, she said.

Digital Development and Information Minister Josephine Teo also delivered a ministerial statement, where she emphasised that NRIC numbers still remain a form of personal data that should be collected and used only when necessary.

Thirteen MPs raised clarifications following the two ministerial statements by Ms Indranee and Mrs Teo.

For about two hours, the ministers responded to questions such as at what point the Government had thought the policy change around NRIC numbers was necessary, which scenarios would necessitate the use of full NRIC numbers and how the Government would stem incorrect use of NRIC numbers.

How the mistake came about

The review is ongoing, but Ms Indranee gave an account of the key facts that have been pieced together so far.

In July 2024, MDDI issued a circular directing government agencies to stop any planned use of masked NRIC numbers in new business processes and digital services.

Acra had understood the directive to mean that it had to display NRIC numbers in the People Search function of the Bizfile portal in full.

Acra had internal deliberations about the risks of unmasking NRIC numbers, including the possible impact on personal data protection. The authority then sought MDDI’s clarification.

Due to “a lapse in coordination between MDDI and Acra”, the authority continued to mistakenly understand the directive, and disclosed full NRIC numbers on the Bizfile portal.

“Let me stress this: It was not the Government’s intent for agencies to make datasets of NRIC numbers in their possession widely and easily accessible,” said Ms Indranee.

Mrs Teo acknowledged in her ministerial statement that, without intending to, the incident had led the public to believe that the Government is changing its policy to allow full NRIC numbers to be exposed on a wide scale.

“This is not the case,” said Mrs Teo.

Organisations that collect NRIC numbers still have a duty of care, and must notify and seek consent on the use of the data and protect it.

“These are existing guidelines that will not change,” she added.

She also emphasised that ceasing the use of masked NRIC numbers does not automatically mean using full NRIC numbers in every case.

“Instead, MDDI’s policy intent was for agencies to: one, not use NRIC numbers at all unless necessary; two, use other identifiers in lieu of NRIC numbers, where this was adequate; and three, in certain cases such as in medical settings where the use of NRIC numbers is required by law or necessary for accurate identification, use full NRIC numbers.”

Ms Indranee added: “MDDI has acknowledged that they should have made this clear.

“With the benefit of hindsight, it is clear that there were gaps in the communication and understanding of MDDI’s policy intent.”

Addressing why Acra disabled the People Search function only on the night of Dec 13 when public concerns about the unmasked NRIC numbers surfaced on Dec 12, Ms Indranee said MDDI and Acra needed time to assess if the disclosure of full NRIC numbers was consistent with MDDI’s policy intent.

It also had to consider the feasibility and lead time needed to effect alternatives. Disabling the search function was a last resort, given the impact on businesses and individuals who might need to use the People Search function to conduct their due diligence checks, she pointed out.

“The agencies could have been more prompt in their response; one must also have regard to the various considerations that they were balancing at that time. As part of the review, we will study how the Government could have responded more quickly.”

Why Acra has to provide public access to information

Ms Indranee also addressed questions on why Acra needs to provide public access to basic information associated with businesses.

She pointed out that some questions raised by MPs are based on an underlying assumption that NRIC numbers cannot be made public at all, which is not correct.

Acra is empowered to collect and maintain information on business entities and their associated individuals.

The information on business entities that Acra collects and maintains includes the business’ name, Unique Entity Number (UEN) and registered address, among others.

The information on associated individuals that Acra collects and maintains includes the individual’s name, nationality, identification number (such as NRIC number) and contact address.

It also includes the past and present positions that they hold or have held in business entities that they are or have been associated with, as well as when they held these positions.

To maintain corporate transparency, facilitate business transactions and guard against illicit activities, Acra is allowed by law to give public access to such information – including NRIC numbers.

“Public access to such information is not unique to Singapore. Many business registries around the world similarly provide public access to such information.”

Some scenarios where public access to such information is necessary include allowing banks to conduct background checks on a new corporate client, and to allow companies and investors to facilitate due diligence checks on identities and shareholdings of their counterpart’s company directors.

“It is important to understand that public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and ease of access to NRIC numbers,” said Ms Indranee.

Explaining that on the old Bizfile portal, users could still obtain the full NRIC number of an individual by purchasing their People Profile, Ms Indranee said that in the context of a Bizfile search, NRIC numbers have never been confidential or secret.

What had changed with the new Bizfile portal was that, with a name search, users would be able to view the names and full NRIC numbers of individuals – meaning the public had free access to the full NRIC number of any individual in Acra’s database.

Acra has since revised the People Search function such that it returns only names and no longer displays any NRIC number, whether masked or unmasked, said Ms Indranee.

Ms Indranee also pointed out that Acra’s database does not contain information on all Singapore citizens.

“It contains information only on individuals who are reflected in filings or lodgements made with Acra. These are individuals who are or have been involved in Acra-registered entities, such as companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.”

Addressing questions on whether the disclosure of full NRIC numbers aligns with data protection policies under the Personal Data Protection Act (PDPA) , Ms Indranee said that as a public agency, Acra is required to meet personal data protection standards set out in the Public Sector (Governance) Act (PSGA) and Government Instruction Manuals (IMs).

IMs are standards similar to those under the PDPA.

“As the panel is still ascertaining the full facts of this incident, it would be premature to conclude definitively whether there has been any breach of the PSGA or the Government IMs,” said Ms Indranee.

Whether action will be taken against those involved depends on the outcome of the review, added Ms Indranee.

“Based on the panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of insufficient understanding of the policy intent and each party’s needs and requirements,” she said.

Nevertheless, if the panel uncovers facts that suggest actionable wrongdoing or serious lapses, it will refer the matter to the relevant bodies or authorities for further disciplinary or legal action.

When did the Government change its thinking around NRIC numbers?

The impetus for the change in NRIC policy also came under scrutiny in Parliament.

Leader of the Opposition Pritam Singh asked why the NRIC unmasking was not brought to Parliament but addressed in a circular, given the significant and public concerns.

Mr Singh (Aljunied GRC) pressed for answers regarding when the ministry determined that such a change was necessary, whether whole-of-government discussions took place, and how many agencies, apart from Acra, misunderstood the circular sent by MDDI.

In response, Mrs Teo said she does not have the exact date when discussions began, but that it would have been “some months” before the circular was issued.

She said whole-of-government discussions did take place, including briefings that allowed agencies to clarify the changes. She added that it would be better to wait for the findings of the full review.

With the Government planning to eventually discontinue the existing use of masked NRIC numbers, Mr Xie Yao Quan (Jurong GRC) asked for specific examples of cases where the Government will use full NRIC numbers moving forward, and where other identifiers will be used.

Mrs Teo said that in some instances, names or other identifiers would be sufficient. But full NRIC numbers will be necessary when an individual is applying for subsidies or accessing a benefit provided by the Government.

Each case merits its own considerations, and the process of deciding this has started but not been completed, she added.

Responding to Ms Tin Pei Ling’s (MacPherson) question on what actions will be taken to prevent the misuse of NRIC numbers, Mrs Teo said very few scams, if any, involve the NRIC numbers being used to directly access valuable data. 

The best protection is for individuals to avoid using their NRIC numbers as passwords or for authentication, said Mrs Teo.

Over 500,000 searches made in 5-day period when Acra’s new Bizfile portal had full NRICs available

More than 500,000 searches for individuals were made on the Bizfile portal during the five-day period from Dec 9 to 13 when full NRIC numbers were made available.

This is much higher than the usual daily traffic of 2,000 to 3,000 queries made through the portal’s free People Search function, said Second Minister for Finance Indranee Rajah in Parliament on Jan 8, citing investigations thus far.

The new Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (Acra), was launched on Dec 9. Members of the public began voicing their concerns on Dec 12 about the disclosure of the NRIC numbers.

The authorities temporarily disabled the search function on the night of Dec 13.

Ms Indranee said the bulk of the queries on the new portal were made on Dec 13. These came from an estimated 28,000 IP addresses, most of which were from Singapore, she added.

She was responding in a ministerial statement to questions from MPs on the incident, which had unfolded in mid-December.

Ahead of the sitting in January, MPs including Mr Dennis Tan (Hougang) and Dr Tan Wu Meng (Jurong GRC) had asked about the number of searches conducted, the number of distinct users who conducted the searches, as well as the number of NRIC numbers that were disclosed before the search function was disabled.

They also asked about the risk that the NRIC numbers had been accessed by malicious actors.

In response, Ms Indranee said the authorities are unable to identify the exact number of NRIC numbers disclosed through the queries, as the Bizfile portal is not configured to track individual queries for its People Search function.

She added that Acra and the Government Technology Agency conducted a security review and identified that the security feature in the People Search function, designed to distinguish between human users and computer bots, was “not working as intended”.

This has since been fixed, she said.

“Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between Dec 9 and 13, 2024,” said Ms Indranee.

Following the incident, Acra is reviewing how its People Search function can be improved, she said.

For example, it is considering the roll-out of additional search parameters, such as the Unique Entity Number (UEN) of the entity with which an individual is associated.

The People Search service has since resumed on Dec 28, with search results no longer showing any NRIC numbers, whether masked or unmasked.

Ms Indranee stressed that Acra’s database does not contain information on all Singapore citizens, but only individuals who are or have been involved in Acra-registered entities.

These include companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.

She also laid out steps that those who are worried their NRIC numbers had been accessed can take to protect themselves.

First, they should ensure their NRIC numbers are not used as a password for any of their digital accounts, and change it as soon as possible if so.

Second, they should not use their NRIC numbers for authentication.

Third, they should not assume someone to be a legitimate authority, even if the person knows their NRIC number.

“Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks,” Ms Indranee said.

Source: Straits Times © SPH Media Limited. Permission required for reproduction.

International law crucial in times of geopolitical divisions: Vivian Balakrishnan NRIC numbers remain personal data, should not be widely circulated: Josephine Teo