ACRA apologises for unmasking NRIC numbers on Bizfile caused by 'lapse in coordination'

The unmasking of Singaporeans' full NRIC numbers was a mistake that was caused by a "lapse in coordination" between the staffs from government agencies on how this was to be implemented.

Staff from ACRA had misunderstood an internal circular sent out by the Ministry of Digital Development and Information (MDDI) to government agencies, leading to the incident.

In a Dec. 19 press conference, Minister for Digital Development and Information Josephine Teo and chief executive of ACRA Chia-Tern Huey Min apologised for the mistake. Teo said,

"I would firstly like to acknowledge the concerns of the public, which we take very seriously. We are very sorry to have caused them much anxiety."

Teo explained that the government needs to change its policy involving the use of NRIC numbers because the current situation leaves Singaporeans vulnerable.

While plans were already underway to unmask NRIC numbers within the government, no concrete decision had been reached regarding the private sector, Teo said.

Second Minister for Finance Indranee Rajah, who co-fronted the panel, added that the issue is something the government "[does] not take... lightly".

"The plan was to have a phased-out sequence with public communications. But what happened in this instance is that, because of this misunderstanding, the [NRIC] numbers inadvertently got put out... and then everything got accelerated," she explained.

"We're committed to take the necessary actions to rectify the situation responsibly."

How the mistake came about

The new Bizfile portal, which allows public searches on individuals associated with businesses, was launched on Dec. 9.

But one new feature, which allowed members of the public to obtain the full NRICs of individuals registered in ACRA, quickly drew attention and concern.

In the previous iteration of the portal, only masked NRIC numbers were made available for free under the "People" search function.

The full NRIC details would be revealed only if someone logged into the portal and paid the S$33 fee for an individual's full profile.

However, prior to the new launch, the government had begun its new internal effort to stop using masked NRIC numbers, which provided "a false sense of security".

MDDI subsequently issued a circular for agencies to stop using masked NRIC numbers in new business processes and services.

But due to a lapse in coordination between staff members, ACRA interpreted this to mean that they should unmask all NRIC numbers in the new Bizfile portal.

This was despite the portal and its contents being public-facing, and not exclusive to the government.

But why unmask NRICs anyway?

As to why the government had decided to stop masking NRICs in the first place, Teo explained that it was to avoid "a false sense of security".

"Because the main purpose of the NRIC is to be a unique identifier, it cannot be a secret, just as our names are not secret," she said.

"However, over time, NRIC numbers have increasingly come to be used as more than just an identifier."

She elaborated that certain organisations had begun to use NRICs as a means of authentication to prove an individual's identity to grant access to a product or service.

An example could be to gain access to insurance documents, or a pay slip.

"That is, the NRIC number has also become an authenticator. This is not a good idea," she said.

With a person's date of birth and partial NRIC, it is possible to make a "good guess" as to their full NRIC through the use of algorithms.

This allows bad actors to potentially get access to an individual's person documents, by making use of their masked NRIC number, she said.

Moving away from the status quo

The perception that the NRIC number is "secret" information only owned by the government also has other consequences.

People might use their NRIC number as a password for certain websites or services, believing it to be confidential.

Or a scammer might use the aforementioned algorithms to get hold of a person's full NRIC number, and use this as "proof" that they are a figure of authority for being in possession of this information.

"This makes us vulnerable to potential scammers," Teo said.

"These practices and mindsets must change. We know this will take time, and that is why we're not rushing to change policy.

We will start by focusing on the incorrect uses of NRIC numbers, and stopping such practices. And this means moving away from using the NRIC number as a password, and moving away from using the NRIC number as an authenticator, to prove that a person is who he claims to be."

Mask or don't mask NRICs?

That said, while the government is moving away from the use of masked NRICs, that does not mean that full NRICs must be used in all circumstances.

In situations in which identities need to be accurately ascertained — such as in healthcare, when an individual is being prescribed medicine or has to undergo a procedure — only full NRICs should be used.

But in other situations, such as lucky draws or accessing private property areas, no NRIC number should be used at all, masked or otherwise.

"There are alternatives, like phone numbers or email addresses, that can be used," Teo said.

"In other words, not using masked NRIC numbers does not mean that we will unmask all currently-masked NRIC numbers. We should have made this clear too."

"People" search function disabled

In the interim, ACRA has disabled the "People" search feature in its Bizfile portal.

It will be re-enabled on the week of Dec. 23, but this time without NRIC numbers — either full or partial.

Plans are also underway to restore the service to a level that works for both public and business users, Chia-Tern said.

On a broader level, the Personal Data Protection Commission (PDPC) will update the guidelines on how to correctly use the NRIC.

Indranee concluded:

"Let me reiterate that we do not take this incident lightly.

MOF and ACRA will learn from this episode and setback. We are thoroughly reviewing the incident to identify areas where we should have done and can do better, including improving the communication and coordination between agencies, and the features of our digital services.

We will continue to monitor feedback on the Bizfile portal, and will review and update Bizfile on an ongoing basis."

Top image by Mothership