Concerns raised over ease of accessing NRIC numbers from Acra portal

SINGAPORE – Members of the public have raised privacy concerns over being able to access individuals’ NRIC (National Registration Identity Card) numbers on the Accounting and Corporate Regulatory Authority (Acra) portal.

Individuals were able to access the IC numbers of those connected to a Singapore-registered business through a search, without paying, via the newly launched website.

In the past, details such as IC numbers and listed business addresses could be obtained via Acra in a PDF file, for a fee.

The concerns were raised by readers spooked by recent scams, including what happened to a holidaying couple whose bank accounts were blocked, and credit cards cancelled, by identity thieves.

On Dec 11, The Straits Times was alerted to the search feature on the Bizfile portal for business regulations and filings. The portal was launched on Dec 9.

“I found my IC number on Bizfile,” said housewife Gina Tan, who checked the portal after a scammer posing as an Interpol officer called her mother and read out her address and IC number.

Believing that the scammers were legitimate because they had her details, her mother almost sent them her own bank details, but was stopped in time by Mrs Tan.

Mrs Tan also found the names and IC numbers of her friends.

Salesman Timothy Chan, 48, who accesses Acra filings regularly in the course of his work, noticed that many people’s IC numbers were openly available on Dec 11.

“In this day and age of identity theft and scams, it defies logic that Acra will openly, and without any type of safeguard, expose Singaporeans to the danger of scams and impersonation out there,” he said.

On Dec 12, ST was able to obtain the NRIC numbers and full names of several prominent businessmen and Cabinet ministers directly from the Bizfile website for free.

In addition, for $33 a name, ST was able to buy the full profiles of these people and obtain their listed business address, as well as current and past appointments.

According to the frequently asked questions page on Bizfile, Acra does not mask NRIC numbers in records because “full identification numbers facilitate accurate verification of individuals’ identities, which is important for various business and regulatory processes”.

“This practice allows for clear and unambiguous identification of individuals associated with businesses,” said Acra, adding that the practice also helps promote transparency in Singapore’s business environment.

Experts approached by ST said the practice exposed a serious vulnerability.

Said Mr Aaron Ang, chief information security officer at Singapore-based IT services company Wissen International: “We have the Personal Data Protection Act to protect our NRIC details, but our statutory board is giving them away for free.”

Under the PDPA, organisations are barred from collecting, using or disclosing IC numbers or making copies of the identity card if they have not sought consumers’ consent. Organisations also need to have business reasons for collecting, using or disclosing IC numbers.

Acra, like other government organisations, is exempted from the PDPA. The Acra Act provides for the authority to disclose personal data in discharging its functions.

Along with other more easily obtained personal information including full names, dates of birth and mobile phone numbers, NRIC numbers can be exploited by criminals to commit identity theft, apply for loans, and even compromise bank and phone accounts, said cyber experts.

“It’s really up to the cyber criminal’s imagination,” said Mr Ang.

Mr Andy Prakash, co-founder of local cyber-security firm Privacy Ninja, said: “Extreme cases can include impersonating individuals to reset banking PINs or getting access to bank accounts, or issuing new credit cards with high limits to another address, depending on each bank’s verification process over a call.”

The potential for harm is more pronounced when the individuals affected are prominent figures such as politicians and business leaders, as cyber criminals could impersonate them to carry out unauthorised transactions.

Citing examples of how impersonators have been able to take over a victim’s e-SIM with the individual’s personal information such as the IC number, name and date of birth, Mr Ang said a sophisticated state actor may be able to pull the same ruse with a politician.

“If they are able to take over the personal number of a politician, then that would naturally be a matter of national security,” he said.

Organised crime syndicates with their own developers would also be able to deploy sophisticated bots to scrape and capture the Acra database of full names and IC numbers in a matter of minutes, warned Mr Prakash.

ST contacted Acra and the Infocomm Media Development Authority on Dec 12 for comment.