Over 500,000 searches made in 5-day period when Acra’s new Bizfile portal had full NRICs available

SINGAPORE - More than 500,000 searches for individuals were made on the Bizfile portal during the five-day period from Dec 9 to 13 when full NRIC numbers were made available.

This is much higher than the usual daily traffic of 2,000 to 3,000 queries made through the portal’s free People Search function, said Second Minister for Finance Indranee Rajah in Parliament on Jan 8, citing investigations thus far.

The new Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (Acra), was launched on Dec 9. Members of the public began voicing their concerns on Dec 12 about

the disclosure of the NRIC numbers.

The authorities temporarily disabled the search function on the night of Dec 13.

Ms Indranee said the bulk of the queries on the new portal were made on Dec 13. These came from an estimated 28,000 IP addresses, most of which were from Singapore, she added.

She was responding in a ministerial statement to questions from MPs on the incident, which had unfolded in mid-December.

Ahead of the sitting in January, MPs including Mr Dennis Tan (Hougang) and Dr Tan Wu Meng (Jurong GRC) had asked about the number of searches conducted, the number of distinct users who conducted the searches, as well as the number of NRIC numbers that were disclosed before the search function was disabled.

They also asked about the risk that the NRIC numbers had been accessed by malicious actors.

In response, Ms Indranee said the authorities are unable to identify the exact number of NRIC numbers disclosed through the queries, as the Bizfile portal is not configured to track individual queries for its People Search function.

She added that Acra and the Government Technology Agency conducted a security review and identified that the security feature in the People Search function, designed to distinguish between human users and computer bots, was “not working as intended”.

This has since been fixed, she said.

“Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between Dec 9 and 13, 2024,” said Ms Indranee.

Following the incident, Acra is reviewing how its People Search function can be improved, she said.

For example, it is considering the roll-out of additional search parameters, such as the Unique Entity Number (UEN) of the entity with which an individual is associated.

The People Search service has since resumed on Dec 28, with search results no longer showing any NRIC numbers, whether masked or unmasked.

Ms Indranee stressed that Acra’s database does not contain information on all Singapore citizens, but only individuals who are or have been involved in Acra-registered entities.

These include companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.

She also laid out steps that those who are worried their NRIC numbers had been accessed can take to protect themselves.

First, they should ensure their NRIC numbers are not used as a password for any of their digital accounts, and change it as soon as possible if so.

Second, they should not use their NRIC numbers for authentication.

Third, they should not assume someone to be a legitimate authority, even if the person knows their NRIC number.

“Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks,” Ms Indranee said.