.svg)
Singapore's Ministry of Finance has initiated a review of the government’s handling of National Resident Identity Card (NRIC) data, following complaints that unnecessary exposure of the data may have helped to fuel scammers.
Last week, Singapore minister of finance Josephine Teo delivered a parliamentary statement in which she attempted to allay concerns around government mishandling of NRIC numbers.
For five days during early December 2024, the NRIC numbers of Singapore citizens and permanent residents were made freely available via the government’s Bizfile portal.
Bizfile, which is managed by the Accounting and Corporate Regulatory Authority (ACRA), allows business owners to access registration, filing and information services online.
On December 9, a new version of Bizfile went live, only to be suspended on December 13 following complaints from the public.
In its original design, the updated version of Bizfile had made the NRICs of all persons in its database visible via the "People Search" function.
In effect, this meant that anyone who searched the database could find both the name and the NRIC of a listed person.
Using the previous version of Bizfile, users who wanted to see the NRIC number of a listed person had to pay a fee to do so (to access that person’s "People Profile").
In theory, this mitigated the risk of abuse of the system by bots, fraudsters and scammers, making it a costly source of data to extract from.
But under the new version of Bizfile, the ease of access to both names and NRIC numbers caused widespread alarm among the public.
In response, the ACRA agreed to revert to the previous system, whereby all NRIC numbers are hidden behind a paywall.
However, by this point, the damage to the government’s handling of the data was already done.
“The Bizfile incident is unfortunate,” said finance minister Teo. “Without intending to, it led the public to believe that the government is changing its policy to allow full NRIC numbers to be exposed on a wide scale.
“This is not the case. We take the public’s concerns seriously and are very sorry for the mistake that caused them much anxiety.”
The review, which is expected to be completed in February, is led by Leo Yip, head of the Civil Service, and includes permanent secretaries whose ministries are not involved in NRIC handling policy or the Bizfile incident.
Its investigations so far show that more than 500,000 queries were made via People Search during the five-day period from December 9 to 13, 2024.
According to Indranee Rajah, deputy finance minister, this was “much higher” than the usual daily traffic of 2,000 to 3,000 queries.
The searches came from an estimated 28,000 IP addresses, most of which were from Singapore.
Following a security review, ACRA also found that a key security function in People Search was not working as intended during the five-day period.
This feature, as noted by Rajah, was designed to distinguish between human users and bots accessing the Bizfile database.
The minister confirmed that the security fault has since been fixed.
How dangerous are exposed NRIC numbers?
In a country that is facing an epidemic of scams, Singaporeans are understandably concerned about their NRIC data getting into the wrong hands.
In the first six months of 2024, Singaporeans lost S$385m ($280m) to scams, with the total number of scam cases rising by almost 17 percent over the same period in 2023.
However, Teo was quick to point out that there are relatively few scams cases in which only the victim’s name and NRIC number are used to extract money from them.
“Most NRIC-related scams involve victims who think they are speaking to figures of authority and end up taking actions that harmed themselves, such as transferring money without further checks,” said Teo.
“Very few cases have involved scammers directly using NRIC numbers to unlock access to valuables.”
Nonetheless, the government has taken the opportunity of the Bizfile incident to raise awareness of the “proper” use of NRIC numbers within both the public and private sectors.
The government is calling on private organisations to refrain from using NRIC numbers as proof of identity when providing services to individuals.
“This practice makes us more vulnerable, as our NRIC numbers could be known to others,” it said.
It is also calling on both public and private organisations to refrain from using “masked” NRIC numbers — where only the final four digits of an NRIC number are visible — claiming that they create a “false sense of security”.
“Although the full NRIC number is concealed, it is not difficult to derive the full NRIC number using simple algorithms, especially if the person’s year of birth is known,” it said.
Prasad Thandapani, senior analyst at Vixio, said the fallout of the Bizfile incident will be interesting from a fraud perspective.
“For years, Singaporeans have been told that their ID numbers are to be protected and only be revealed to trusted institutions,” he said.
“Now that this information has been made public, any resulting increase (or lack thereof) in fraud or attempted fraud will be a good indicator of how true this really is.”
Already, the Bizfile incident is suspected to have played a role in a sudden uptick of cases where NRIC holders have seen their home address changed within the Immigration and Checkpoints Authority (ICA) database.
This month, the home addresses of around 60 people were changed online without their knowledge, after scammers obtained their NRIC and Singpass details.
In the whole of 2024, only a handful of unauthorised changes of address were reported to the ICA, but nonetheless, the agency said there is no indication that the uptick is related to the Bizfile incident.
