NRIC numbers are still personal data, but don't use them as passwords: S'pore govt

NRIC numbers remain personal data and can only be collected when there is a need to do so, Minister for Digital Development and Information Josephine Teo said in parliament on Jan. 8.

"Organisations that collect NRIC numbers also have a duty of care. Subject to applicable law, they must notify and seek consent on use, and ensure protection of the data. These are existing guidelines that will not change."

51 questions were filed by Members of Parliament (MPs) on NRIC policy and the disclosure of NRIC numbers on ACRA’s Bizfile portal.

The search feature allowed users to access NRIC numbers of Singaporeans in the database after going live on Dec. 9.

"We take the public’s concerns seriously and are very sorry that the mistake has caused them much anxiety," Teo said.

Incorrect uses of NRIC

Teo noted that there are also some incorrect uses of the NRIC number today.

She said that an NRIC number is a useful unique identifier in situations where one's name is insufficient, such as in a hospital with several patients with the same name.

However, NRIC numbers have become increasingly used as more than an identifier, Teo noted.

"Previously, organisations would require seeing my physical NRIC card to confirm that I am who I claim to be. However, some organisations assume that if someone can cite my NRIC number, that person must be me! This is clearly wrong."

Teo added that some organisations may go further to give the person access to privileged information or services.

"In such situations, the NRIC number is being accepted as an authenticator, or proof of who a person claims to be. This is clearly inappropriate."

Teo acknowledged that some organisations collect and use a partial NRIC number, usually the last four characters of the NRIC number, thinking that this is safe.

Some individuals have also started to use their NRIC numbers as their passwords, Teo added.

Teo warned that algorithms easily available online have made it easier to work out the full NRIC number from the partial or masked number, meaning that the masked NRIC numbers gave organisations and individuals a "false sense of security".

"This does not really keep the full NRIC number secret. This also makes the practice of using NRIC numbers as passwords even more inappropriate."

Govt tried to stop incorrect use while problem 'relatively contained'

Teo explained that these developments led the government to take steps to stop the incorrect uses of the NRIC number while the problem is "relatively contained".

This meant two things: Not using the NRIC number as an authenticator and moving away from the use of masked NRIC numbers.

"The government knew that it would take time for public sector agencies to make the change. We expected that it would take even longer for the private sector because of longstanding practices and habits," Teo said.

She said that the plan was to first change internal practices in the government before moving on to the private sector and non-profit organisations.

Public education efforts to be brought forward

Teo said the government asked agencies to stop using the NRIC number as an authenticator or as a password, and asked them not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.

She said a subsequent lapse in coordination between agencies led to ACRA’s misunderstanding and the disclosure of full NRIC numbers in the People Search function of its new Bizfile portal.

"In hindsight, what we should have made clear was that moving away from the use of masked NRIC numbers did not mean automatically using the full NRIC number instead in every case. At no point was our intention to disclose full NRIC numbers on a wide scale."

Teo said the government had also planned to mount a major effort to help Singaporeans be aware of the risks and to support efforts to stop incorrect practices.

"The Bizfile incident was an unfortunate misstep, which now means these plans need to be brought forward," Teo said.

The government will be making public education efforts to raise awareness among organisations and individuals about the proper use of NRIC numbers and to guide them on what they should do, she added.

What private sector organisations should do

Teo said that private-sector organisations that use NRIC numbers as a factor of authentication or as default passwords should stop this practice as soon as possible.

Those who presently collect partial NRIC numbers to identify people can continue to do so.

"The guidelines for the private sector have not yet changed, and we will only consider how they should be updated after consulting the public," Teo said.

For the physical NRIC card, Teo said it is still suitable as an authenticator, as it contains other identifying information such as photo and fingerprint, and is not easily faked.

What about individuals?

Teo said individuals should be clear that NRIC numbers are like their names. Even if it is not widely disclosed, it is not a secret.

As such, Teo said that individuals should not assume that anyone who can cite their NRIC number knows them well, or are figures of authority, or can be trusted.

"We should be cautious about revealing more about ourselves, or saying 'yes' to their requests, or following their instructions, without checking further."

Additionally, those who have used their NRIC number as a password to access any information or service should change the password immediately.

In response to a question on a possible rise in NRIC-related scams, Teo said that very few of such scam cases have involved scammers directly using NRIC numbers to unlock access to valuables.

"Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harmed themselves, such as transferring money without further checks."

Stop using NRIC numbers for authentication or as passwords

Teo emphasised that it was not the government's intention to make the full NRIC number widely disclosed, and they are not heading in that direction.

"What needs to change are the incorrect uses of the NRIC number. These include using NRIC numbers for authentication or as passwords," she reiterated.

"By taking action as soon as possible, we can increase protection for all of us. This will allow us to more confidently use the full NRIC number as a unique identifier whenever we need to do so."

Top image by Mothership