6 missteps in Acra’s disclosure of full NRIC numbers in December 2024

SINGAPORE - A review panel investigating the disclosure of full NRIC numbers last December on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal published its findings on March 3.

The probe

found no deliberate wrongdoing

by the Ministry of Digital Development and Information (MDDI) or Acra, but flagged shortcomings that led to the mass disclosure of NRIC numbers of key business representatives and others on Bizfile’s database.

These are the key shortcomings highlighted:

1. MDDI should have been clearer

The report found that MDDI was not clear enough in its

policy communications issued in July 2024

in a circular to various government agencies on plans to end the use of NRIC numbers for authentication and cease any new masked NRIC usage by Nov 1, 2024.

MDDI had written that agencies are to immediately cease any planned use of masked NRIC numbers, such as in new business processes or digital products.

In a question-and-answer section on what agencies should do with all the masked NRIC numbers currently in existing systems, MDDI said the agencies are not allowed to continue to use masked NRIC numbers in any of the internal government systems. “Agencies should either display the full NRIC number, or consider if there is even a need to use NRIC numbers.”

Given that this was a complex policy, MDDI should have been more precise and provided more context in the circular, the panel wrote, adding: “This would have helped agencies like Acra better interpret the (circular).”

It noted that MDDI made an effort to ensure the circular was understood by agencies, having engaged with nearly 50 agencies, including Acra, on their use of NRIC numbers.

Acra and MDDI had exchanged multiple e-mails on the topic without addressing the crux of the misunderstandings.

For instance, MDDI was not explicit that it considered Bizfile’s People Search tool an existing use, rather than a “planned use”, of partial NRIC numbers that would not be immediately stopped. In turn, Acra did not make clear its interpretation of MDDI’s instructions.

“Both agencies should have taken the initiative to discuss the matter in depth, given that there were important details to clarify and that the new Bizfile portal is a major public platform,” according to the report.

2. Insufficient sharing of information within Acra

Two officers from Acra who attended MDDI’s July 16 briefing and received meeting materials on the new policy should have ensured that the information was disseminated within Acra, especially to those who needed to act on the circular. “However, this was not done,” said the panel.

A frequently-asked-questions document that was shared with the officers would have alerted senior management to the fact that stopping the use of partial NRIC numbers did not mean showing full NRIC numbers in every case, and agencies could drop the use of NRIC numbers altogether.

The panel recommended that Acra review its processes to ensure there is sufficient dissemination of information within the organisation and to those who would require it to make informed decisions.

3. MDDI should have paid more attention to complex uses

MDDI should have given more guidance to more complex new applications – such as public registries – to help agencies understand how to stop the use of partial NRIC numbers and decide if full NRIC numbers were necessary, the panel reported.

Although Bizfile’s People Search function was an existing-use case – rather than a new application, as Acra had thought – it was a more complex use of NRIC numbers that warranted closer guidance by MDDI, the report said.

4. Poor risk assessment by Acra

The panel found that Acra misjudged the need for corporate checks through Bizfile at the expense of privacy, making personal data too easily accessible.

Acra applied its incorrect interpretation of MDDI’s message to its existing Bizfile design without adapting it to the purposes of the People Search function, which is primarily to help users narrow down which profile to purchase, such as to identify an individual who might have the same name as others.

The panel said Acra should have explored alternative People Search designs in the new Bizfile portal, ensuring that users could retrieve only the necessary data – such as by requiring extra search parameters like a Unique Entity Number.

The report noted that although Acra was aware of the risks of displaying full NRIC numbers, it did not adequately consider other designs, as the new Bizfile portal was in its final stages of development when MDDI’s new directions were introduced in July.

Acra should have considered if there was a need for Bizfile users to view the NRIC numbers in full.

The incident took place before public education efforts had begun on the proper use of NRIC numbers as a unique identifier, exacerbating concerns when the full NRIC numbers were easily retrievable on Bizfile, said the report, adding that MDDI should have started public engagement earlier than it had planned.

5. Security features on Bizfile lacking

Some cyber-security features that would have prevented users from collecting data from the Bizfile portal en masse were not adequately set up when the portal was launched on Dec 9, the panel found.

This included the Captcha function, a common pop-up that challenges users to decipher stretched letters or other tests to tell apart real users from automated users such as bots.

Acra asked its IT vendor to resolve the issue urgently, and it was fixed by the time the People Search function resumed on Dec 28.

The IT vendor was not named in the report.

At least 500,000 queries were made

on People Search between Dec 9 and 13, higher than the usual daily traffic of up to 3,000 queries, the report wrote, adding that the searches came from some 28,000 IP addresses, most of them from Singapore.

The report noted that Acra was not able to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function.

6. Poor communication with the public

Acra should have disabled the People Search function sooner and, along with MDDI, should have acted faster to lay down the key facts on how the incident happened, after public concerns surfaced on Dec 12, said the report.

It took Acra and MDDI some time to figure out the misunderstanding of MDDI’s instructions and whether there were alternatives to halting the People Search function.

The panel said the agencies should have paid more attention to the disclosure of NRIC numbers first, even as they clarified MDDI’s July instructions.

“Doing so could have helped the agencies to decide and disable the People Search function earlier,” said the report.

The panel added that the agencies should have done better in their response to the public. Various officers in the agencies were responding to public queries without close coordination, said the panel, urging the agencies to review their processes for handling public feedback.

There is room for improvement in how the agencies handled public communications on the correct use of NRIC numbers, the report added.

The Government should have made clear to the public at the outset that moving away from the use of partial NRIC numbers did not automatically mean using full NRIC numbers in every case, nor was it the Government’s intention to disclose full NRIC numbers on a large scale.

The review panel wrote: “Doing so would have helped to reassure the public that NRIC numbers remain personal data, which should only be collected, used or disclosed when there is a need to do so.”

Correction note: In an earlier version of the story, it was reported that the People Search queries between Dec 9 and 13 came from some 28,000 IP addresses, most of them overseas. This has been corrected to say that most of the queries originated from Singapore.