More than 500,000 searches made on ACRA website between Dec. 9-13 when NRIC fully revealed

More than 500,000 search queries were made during the five days when NRIC numbers were listed publicly for free on the Accounting and Corporate Regulatory Authority (ACRA) Bizfile portal, Second Minister for Finance Indranee Rajah said in parliament on Jan. 8.

Indranee was responding to questions from Members of Parliament (MPs) on the events leading to the disclosure of full NRIC numbers on the ACRA Bizfile People Search function, and the scale of the disclosure.

"Based on the investigations so far, more than 500,000 queries were made on People Search during that five-day period from Dec. 9 to 13, 2024. This was much higher than the usual daily traffic of 2,000 to 3,000 queries."

Indranee said the bulk of these queries were made on Dec. 13, 2024, the day after news about the search function broke.

The function was disabled on the night of Dec. 13.

Most searches came from S'pore

These searches came from an estimated 28,000 IP addresses, most of which were from Singapore, Indranee said.

On the question of how many NRIC numbers were disclosed, Indranee said:

"We are unable to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function."

Indranee emphasised that ACRA’s database does not contain information on all Singapore citizens.

"It contains information only on individuals who are reflected in filings or lodgements made with ACRA. These are individuals who are or have been involved in ACRA-registered entities, such as companies, partnerships, as well as non-profit organisations that are companies limited by guarantee."

Indranee said that thus far, authorities have not uncovered any known threat actors based on the IP addresses used for the queries.

Indranee noted that when conducting a security review, ACRA and GovTech identified that a security feature designed to distinguish between human users and computer bots using the People Search function was not working as intended.

This has since been fixed, she said.

So what caused the incident?

In response to questions about the cause of the incident, Indranee said that the Ministry of Digital Development and Information (MDDI) had concerns about how NRIC numbers were being used.

In July 2024, MDDI issued a circular informing all government agencies to stop using NRIC numbers as authenticators or passwords and cease any planned use of masked NRIC numbers.

ACRA understood this to mean that it had to unmask and fully display the NRIC numbers in the People Search function on the Bizfile portal, Indranee said.

Indranee noted that ACRA had internal deliberations about the risks of unmasking NRIC numbers in its People Search function, including the possible impact on personal data protection.

ACRA then sought MDDI’s clarification on whether it was required to do so.

"However, due to a lapse in co-ordination between MDDI and ACRA, ACRA continued to understand, mistakenly, that the directive to cease the use of masked NRIC numbers in new digital services required ACRA to unmask and disclose in full the NRIC numbers," Indranee said.

"Hence, ACRA disclosed full NRIC numbers in the People Search function when the new Bizfile portal was launched on Dec. 9, 2024, as they thought MDDI required them to."

Panel set up to review incident

Indranee said that with the benefit of hindsight, it is clear that there were "gaps" in the communication and understanding of MDDI’s policy intent.

"It was not the government's intent for agencies to make data sets of NRIC numbers in their possession widely and easily accessible," Indranee said.

A review panel that reports to Senior Minister Teo Chee Hean has been set up to study the root cause of the incident, as well as what the government should have done and can do better, Indranee said.

It will review the lapse in coordination and communication between MDDI and ACRA.

The panel will also look into the design and implementation of the ACRA's Bizfile People Search function.

Indranee said ACRA will support the panel in its review and will also work on improving its services and data management measures.

One example that ACRA is considering is using additional search parameters, such as the UEN of the entity with which the individual is associated.

Based on the panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of an insufficient understanding of the policy intent and each party’s needs and requirements, Indranee said.

The panel expects to complete its review in February and will share its findings thereafter.

Why ACRA gives public access to NRIC numbers

Questions were also raised by MPs on why ACRA provides public access to basic information of individuals, including NRIC numbers.

Indranee said that ACRA, as the national regulator of business registration and financial reporting, is empowered to collect and maintain information on business entities and their associated individuals.

Such associated individuals include owners or directors of companies or shareholders of private companies.

To maintain corporate transparency, facilitate business transactions and guard against illicit activities, ACRA is allowed by law to give public access to such information, including NRIC numbers.

Indranee noted that public access to such information can be useful for companies and banks to conduct background checks on clients and investors and deter individuals from illicit activities like money laundering or fraud as it can be traced back to them.

What can you do to protect yourself

For those concerned that their NRIC numbers may have been accessed, Indranee suggested some steps that one can take:

• • Ensure that your NRIC number is not used as a password for any of your digital accounts
  • If your NRIC number is currently being used for authentication, change it as soon as possible
  • Do not assume someone to be a legitimate authority even if they know your NRIC number
  • Even if someone can recite your NRIC number, conduct checks to ascertain their identity and intent

Indranee said:

"The government will learn from this episode and do better in the future. We are reviewing this incident thoroughly, and will in due course, share with the public the lessons learnt."

Top image from Bizfile website/by Mothership