Private sector urged to stop using NRIC numbers as passwords, with new advisory issued

SINGAPORE – A new guide to stop the use of National Registration Identity Card (NRIC) numbers as passwords in the private sector was issued on June 26, with organisations advised to stop this practice “as soon as possible”.

The advisory by the Personal Data Protection Commission and Cyber Security Agency of Singapore has been posted on both their websites, said the Ministry of Digital Development and Information (MDDI) in a statement on June 26.

The Government has been taking steps since January to ensure the proper use of NRIC numbers in the private sector, and will be working with the finance, healthcare and telecommunications sectors, among others, in the coming months to develop targeted guidance, the ministry added.

Private sector organisations currently may require people to use their NRIC numbers as passwords to access information intended only for them in certain documents, such as insurance records.

This is unsafe because their NRIC numbers may be known to others, allowing others to impersonate them and have access to their personal data or records, MDDI said.

This is different from organisations using NRIC numbers to identify a person over the phone or online.

Private sector organisations are advised to move away from using full or partial NRIC numbers to authenticate a person’s identity “as soon as possible”, MDDI said.

This includes stopping the use of NRIC numbers as default passwords or partial NRIC numbers that are combined with a date that is easily obtainable, such as date of birth, in documents like password-protected files sent via e-mail.

If it is necessary to authenticate a person, MDDI suggested that organisations use methods such as asking the person to use strong passwords or a security token or having a fingerprint identification system.

“The Government remains committed to protecting citizens’ personal data and ensuring its secure use for rightful purposes,” added MDDI.

The issue of privacy of NRIC numbers arose in December 2024

when users of the Accounting and Corporate Regulatory Authority’s (Acra) new Bizfile web portal raised concerns after realising that people could search for and view the full NRIC numbers of others, without having to log in.

Then, the MDDI said the Government

had intended to change the practice of masking NRIC numbers

, as people can make a good guess at someone’s full NRIC number from the masked number using basic algorithms.

The move away from masking NRIC numbers was to be done “only after explaining the issue and preparing the ground”, but Acra’s move on its Bizfile portal had “run ahead of the Government’s intent”, the ministry said then.

In a press conference later that month, Minister for Digital Development and Information Josephine Teo said

efforts to further educate the public on the proper use of NRIC numbers would be accelerated

, along with plans to consult the private sector on the issue to be brought forward.