As agencies apologise over NRIC confusion, concerns over scam risk and privacy loss remain: Opinion
Source: Business Times
Article Date: 16 Dec 2024
Author: Yong Jun Yuan
Concrete steps to mitigate the impact of public NRIC numbers are sorely needed.
The government’s revised stance on the sensitivity of National Registration Identity Card (NRIC) numbers may have a solid basis but the concerns over the risk of data breaches and loss of privacy have yet to be assuaged.
Many citizens still have the mindset that NRIC numbers are private and confidential, and have concerns that the easy availability of the full numbers may lead to identity thieves having a field day.
For example, since September 2019, organisations have been barred from collecting, using or disclosing NRIC numbers, or making copies of the identity card unless they are required to do so by law.
In fact, concerns about their unfettered use led to the introduction of stricter rules by the nation’s privacy watchdog, the Personal Data Protection Commission (PDPC).
The commission’s website even had a “Protect Your NRIC Number” page. That page is now defunct following the government’s new stance on NRIC numbers.
Between 2015 and 2018, a cyber attack on SingHealth led to a data leak that compromised 1.5 million patients’ data. The data leaked included names, NRIC numbers, addresses, gender, race information and dates of birth.
In August 2021, 79,400 MyRepublic customers’ NRIC scans were stolen by hackers. The Internet service provider discovered unauthorised data access on a third-party platform where it stored such data.
In both cases, the companies were fined by the privacy watchdog for failing to protect NRIC numbers.
Such incidents showed that the NRIC numbers were worth protecting, and companies should make every effort to protect them from leaking.
That was why there was an outcry among some observers when it emerged that the Accounting and Corporate Regulatory Authority’s (Acra) revised Bizfile portal – launched on Dec 9 – made full NRIC numbers of business owners and shareholders easily available through the search function.
Bizfile’s search function has since been temporarily suspended. It is unclear how many individuals’ data have been viewed since the function was updated to provide full NRIC numbers.
As a victim of an earlier data leak, I have long been concerned about the widespread use of NRIC numbers as a point of verification.
For instance, telcos, banks and insurance companies all use NRIC numbers in some form to identify users over the phone before proceeding to make certain transactions on their behalf. Additional information is usually needed to proceed with certain transactions but this is not always the case, especially if an action is deemed to be of lower risk.
Identity thieves may not need to provide more than full names and NRIC numbers to freeze a victim’s credit cards. Banks err on the side of caution when requested to do this.
So the government’s move to stop treating NRIC numbers as private and confidential is a welcome move. NRIC numbers are not effective as secure credentials and, once compromised, cannot be regenerated. In my opinion, this change is long overdue.
But the change – without any warning or explanation – has given some observers the sensation of whiplash.
On its part, the government has apologised at least thrice for the disruption it has caused.
The Ministry of Digital Development and Information (MDDI) said that it meant to announce the change in approach and practice of masking NRIC numbers only after “explaining the issue and preparing the ground”.
MDDI also said that there will be a public education effort about the purpose of the NRIC number, and how it should be used freely as a personal identifier.
However, this education effort comes before any debate on the merits of making full databases of NRIC numbers public, or if the move to view NRIC numbers as public has other unintended privacy implications.
If NRIC numbers are made completely public, say, in a common database, individuals will also have to become comfortable with making their birth months and years public.
A reason why citizens cannot get new NRIC numbers assigned is because the number references your birth year, as well as how many people were born before you.
With someone’s NRIC number, anyone can use publicly available SingStat data on resident live-births by month and derive their birth month.
The public should have been consulted on whether such data is okay to be publicly available, or whether NRIC numbers should be randomly generated from now on to prevent the leakage of more personal data.
Unfortunately, Pandora’s box has been opened. Business leaders and politicians have likely had their NRIC numbers leaked at this point.
Some would argue that it has been open for some time. I certainly would.
A relative recently told me that he received a phone call from scammers claiming to be a staff from a particular bank. They even recited his NRIC number to convince him that they were legitimate.
The only reason he did not fall for the scam was because he had never worked with the bank before.
Such scams will become more prevalent as NRIC numbers are made public, and the public will have to prepare for more types of scams. This is a daunting prospect for many.
While the agencies have apologised, it is clear that the next step needs to involve details of concrete measures as well as timelines. For example, it is unclear if the government will mandate more mature authentication measures for customers of companies in critical sectors, such as finance and telecoms.
The lack of such measures – or at least details on how the agencies plan to move forward on this – to mitigate the impact from publicly available NRIC numbers means that Singaporeans are all the more in need of reassurance.
Source: Business Times © SPH Media Limited. Permission required for reproduction.
4496