Review highlights misunderstandings & shortcomings that led to ACRA unmasking NRIC numbers on Bizfile

Back in Jan. 8, 2025, Second Minister for Finance Indranee Rajah announced that a panel would be set up to review the "lapse in coordination" between the Ministry of Digital Development and Information (MDDI) and the Accounting and Corporate Regulatory Authority (ACRA) over the full disclosure of NRIC numbers on the new Bizfile portal launched on Dec. 9, 2024.

The findings of that review panel, which was set up on Dec. 18, were released in a 36-page report on Mar. 3.

Broader policy shift misunderstood as "unmasking"

In late 2022, the former Smart Nation and Digital Government Office (SNDGO), which is now part of MDDI, started reviewing the government's policy on the use of NRIC numbers.

Their policy intent, in short, was to move away from the incorrect use of NRIC numbers for authentication, to their proper use as unique identifiers instead.

Accordingly, in September 2023, SNDGO required public agencies to not introduce new uses of NRIC numbers for authentication.

Separately, in early 2024, ACRA proposed to change the "People Profile" in its Bizfile portal, which you would have to purchase, to display partial NRIC numbers. This "People Profile" function used to display full NRIC numbers.

SNDGO advised ACRA on its broad policy direction to return NRIC numbers to their proper use as identifiers. SNDGO also told ACRA they were working towards stopping public agencies' using NRIC numbers for authentication and partial NRIC numbers.

After the exchange with SNDGO, ACRA decided not to proceed with the changes to the "People Profile".

Crucially, in the aforementioned exchange, ACRA used the term "unmask" to summarise the discussion.

This misinterpretation was not corrected by SNDGO, the report noted.

In light of this, as well as feedback from several Bizfile users that full NRIC numbers were necessary for corporate transparency, ACRA walked back its proposed change to the "People Profile".

However, ACRA was left thinking SNDGO's policy intent was about "unmasking" partial NRIC numbers, rather than stopping "new uses" of NRIC numbers as authenticators.

Circular minute put out by MDDI muddled communications

SNDGO's advisement was followed up by a circular minute (CM) issued by MDDI on July 2024, reiterating the broad policy shift over NRIC numbers.

This CM, however, became a further source of miscommunication between MDDI and ACRA.

The CM required agencies to

"immediately cease any planned use of masked NRIC numbers, e.g. in new business processes or digital products".

The report found that ACRA had misinterpreted this requirement in two ways:

1. ACRA thought the requirement applied to the "People Search" function in its new Bizfile portal. This, however, was not MDDI's intention as "People Search" was an existing, not a new, use case.
2. Moreover, the report found that ACRA had been "influenced" by its misinterpretation of SNDGO's policy intent as "unmasking", and thus wrongly took MDDI's requirement to mean fully revealing the NRIC numbers on the Bizfile portal.

The report added that ACRA's misunderstandings arose because MDDI's CM did not clearly explain key terms like "planned use", and did not explain that stopping the use of partial NRIC numbers did not mean showing full NRIC numbers in every case.

In subsequent email exchanges on the CM, the report further found that ACRA and MDDI officers did not sufficiently engage each other to clarify the misunderstandings.

In particular, both sides used the term "unmasking", but with different understandings of what the term entailed. The report added:

"Both agencies did not appreciate the need to discuss this matter in depth, even though it involved a major public registry."

MDDI's briefing materials not shared with ACRA senior leadership

MDDI had appended briefing materials and an FAQ document pertaining to the July 2024 CM to clarify their policy directives.

However, the report found that the documents were not disseminated adequately within ACRA, such as to the project leads for the new Bizfile portal and ACRA senior leadership.

ACRA, therefore, was acting on "incomplete information" when it decided to disclose full NRIC numbers in the "People Search" function of the new Bizfile portal.

Inadequate risk assessments, security concerns

The report added that MDDI should have paid more attention to its implementation plan when it came to public registries, which could potentially disclose a large amount of data to third parties performing searches.

ACRA, on the other hand, did not fully assess the proper balance between sharing full NRIC numbers for corporate transparency, and ensuring they were not too readily accessible.

The report noted that this was a contravention of the Instruction Manual for ICT&SS Management (IM8) which governs the management of data, including how agencies collect, use and disclose data.

Security features not properly implemented by IT vendor

ACRA had required the IT vendor it had engaged for its new Bizfile portal to implement various security features.

However, some of these security features, including CAPTCHA functionality, were not adequately implemented when the new portal launched on Dec. 9, the report found.

ACRA only found out that these security features were not implemented after they commissioned GovTech to perform a security review on Dec. 14.

The report added that ACRA is following up with the vendor and "considering all its available options", but noted that ACRA "remains ultimately accountable" for how the new Bizfile portal was implemented.

Lack of public engagement, inadequate incident management

The report also added that the incident took place before public education and engagement had begun on the proper use of NRIC numbers, exacerbating public concerns when full NRIC numbers became easily searchable in Bizfile's "People Search" function.

The report said that it "would have been better for MDDI to have embarked on public education and engagement earlier than what it had planned."

The report also stated that MDDI's and ACRA's responses after public concerns over the new Bizfile portal surfaced on Dec. 12 should have been better coordinated, and clearer:

"Upon receiving the public feedback, ACRA and MDDI should have ascertained more quickly the key facts of how the Bizfile incident happened, and ACRA should have disabled the 'People Search' function sooner. Doing so would have addressed public concerns in a more timely manner."

ACRA and MDDI apologise

The panel did not find any factual evidence of deliberate wrongdoing or wilful inaction on the part of the MDDI and ACRA officers involved in the incident, but noted that the shortcomings identified in the report should have been avoided.

However, the report noted that the Public Service Division, MDDI and ACRA will follow up to "review the actions and responsibilities of the relevant individual officers."

The report concluded:

"We should have done better, and this review contains important lessons for the Public Service. The lessons that the Panel had identified will be disseminated across the whole of the Public Service, so that agencies can take these on board and similar incidents do not recur."

ACRA and the Ministry of Finance (MOF) apologised for the incident in a joint response, and added that it will improve communications internally and with other agencies, conduct more regular system reviews and strengthen its oversight of vendors to ensure that systems are implemented effectively and in line with requirements.

MDDI also apologised for the incident, and said it was taking "immediate steps to prevent similar incidents", such as by developing further guidance to government agencies on how NRIC numbers should be applied, strengthening internal processes and staff training, and reminding agencies of the Government's existing data management policies and standards.

MDDI also stated that appropriate actions are being taken with the officers and leaders involved. This includes reviewing performance assessments, which will carry financial consequences, as well as counselling and additional training.

Prime Minister Lawrence Wong approved the report for public release, and for the matter to be debated in parliament.

Senior Minister Teo Chee Hean will deliver a ministerial statement on the report in parliament on Mar. 6, 2025.

Top photo from Bizfile website.