Top image: Stephanie Lee / RICE File Photo
Some people would use $33 to get two tickets to Wicked, now showing in theatres.
Others more discerning might use the money to buy a bumper-pack-all-inclusive suite of information. They’d be able to purchase the information of any person with an NRIC number—Singaporean or not—as long as they were on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile portal.
They might not even need to pay, as people discovered last week. They’d be able to look up someone’s bare NRIC number, quivering in the digital light, for free.
That is, until ACRA disabled Bizfile’s search function on December 14. There goes the weekend plans.
Now that the government’s apologised (again), it’s worth asking: If Singaporeans are still upset, why?
This isn’t about the miscommunication between ACRA and the government. This is about the confusion and consternation people felt—and what it’ll take to move on from this.
What Are We Actually Upset About?
This saga can be broken up into two parts. First, when Bertha Henson’s Facebook post calling attention to the issue and similar social media posts started circulating.
The second phase is when the government issued a response, stating that they were already planning to stop masking NRIC numbers anyway.
(A third phase started last night when the government held a press conference and apologised for the confusion.)
When Bertha Henson’s post began circulating on r/singapore, most commenters seemed more stunned than anything. After the statement was released by the government, though, mere confusion quickly turned to confusing annoyance.
The statement might have explained the situation, but it didn’t really soothe tempers. If anything, it made people more irritated. Why?
The government responses assured us that NRIC numbers don’t affect our information security as much as we thought. Other thought pieces written in the wake of the incident have mulled the issue further. Some experts talked about how some organisations have ‘sloppy attitudes’ towards authentication.
They’ve come to similar conclusions: The government’s right. NRIC numbers really aren’t a secure method of authentication.
In other words, there’s no security problem. Because NRIC numbers were never meant to be used as security measures in the first place.
But it doesn’t change the fact that ACRA may have upset plenty of people. Because for us, this isn’t just a security problem. It’s also a privacy issue.
Kashfun Nazir, an information security specialist, explains the difference: “Security involves protecting data from unauthorised access, use, disclosure, modification, or destruction.
“Privacy refers to an individual’s right to control their personal information, including how it’s collected, used and shared.”
“Personally, I agree with the Ministry of Digital Development and Information of Singapore (MDDI) that this does not cause security issues,” Kashfun says. “However, it does introduce gaps in privacy.”
Asha Hemrajani, a cybersecurity researcher and a Senior Fellow at the S. Rajaratnam School of International Studies, adds: “Sure, NRIC numbers are not secret, but that does not mean they should not be kept confidential, or that they should be treated as casually as names.”
NRIC numbers linked to businesses were already available on the website and available for purchase. ACRA just removed the paywall, so to speak. There are over 600,000 business entities in Singapore—that’s a lot of people whose NRIC numbers were suddenly much easier to access.
What we really meant is: “Why wasn’t my information kept private?”
The answer really should not be: “Your information was never private to begin with. Also, remember not to use your NRIC number as a password.”
Part of why this fiasco even became a fiasco in the first place is simple: To us, the NRIC number is still sacred. Thus, an overnight overhaul—unintentional as it may have been—was jarring to see.
But why do we even care so much about NRIC numbers?
How Did NRIC Numbers Become ‘Sensitive’ Information?
Just five years ago, the way people viewed IC numbers was vastly different, says behavioural scientist Dr Jean Liu. NRIC numbers were used in everyday settings as unique identifiers for record-keeping, visitor registration, and even for lucky draws.
So why did we start holding our ICs closer to our chests?
“This change didn’t just come about because we adjusted our attitudes or because public education campaigns were effective,” Dr Liu explains.
“NRIC numbers came to be seen as sensitive information because they were institutionalised as such: through the NRIC Advisory Guidelines, and because IC numbers were becoming increasingly linked to personal information and the carrying out of tasks amidst Singapore’s digital transformation. If we want to alter national views of the NRIC [number] again, we need similar system-level changes.”
As it stands, though, NRIC numbers have been and still are “very much entrenched” in many aspects of our lives, such as banking, credit cards, insurance, and medical services, Asha says.
Before the Digital IC feature was launched in the SingPass app in 2021, it was also common for most people to have their physical identity cards on them at all times. Losing your identity card is a serious matter, as most of us were taught.
For 12 years, organisations in the private sector have also had to adhere to the Personal Data Protection Act. The Personal Data Protection Commission has taken organisations to task for NRIC number-related breaches of the PDPA—E-Commerce Enablers Pte Ltd and the Singapore Taekwondo Federation were previously fined $74,000 and $30,000 respectively.
When companies are fined hefty amounts for not safeguarding NRIC numbers, you can’t fault us for believing that the alphanumeric combinations that define our citizenship are sacrosanct.
The Next Steps
After the press conference on December 19th, we know this much: The government will consult the private sector and the public on the matter in 2025.
The government has not decided on new guidelines for the private sector’s collection and safeguarding of NRIC numbers. Until then, companies should adhere to the PDPC’s NRIC guidelines, which were issued in 2018.
Within government agencies, though, the decision has been made to phase out the use of masked NRIC numbers, which provide a false sense of security. This doesn’t mean all masked NRIC numbers will become unmasked (this is the part that tripped ACRA up). What it does mean is that full unmasked NRIC numbers will be used as identifiers where necessary.
It’s not just “public education” that’s needed to eventually warm people up to the idea that their NRIC numbers aren’t sensitive secrets. We also need to be assured that people who get a hold of our NRIC number can’t use it to find out more of our personal information or use it for nefarious purposes. This could be part of the public education campaign the authorities are planning to roll out.
Dr Liu points out that NRIC numbers are still linked to our libraries and medical appointments. Without much effort, she was able to create a barcode using an NRIC number, which she then used to borrow library books.
“I’d imagine it would again take time and investment to cater to a world where NRIC numbers are publicly released,” she remarks.
Even if the idea of a prankster making off with a stack of library books under your name doesn’t bother you much, there are more serious threats out there, like scammers.
“Given the fact that Singapore has had a spate of money laundering cases plus the large number of scam cases locally, there are definitely possibilities for new ways of committing crime,” says Asha. For example, criminals might have been able to access NRIC numbers for free on ACRA’s Bizfile portal before the function was disabled, she adds.
She also has doubts about the government’s plan to move towards phasing out masked NRIC numbers among the public sector.
“With regards to the NRIC [number] unmasking plan, it isn’t clear if a detailed risk analysis and corresponding mitigation plan for any of the risks of unmasking had been done,” Asha says.
“It is clear that relying only on NRIC [numbers] as a means of authentication is far from ideal, and MDDI had the public’s best interests at heart when introducing this change. What was not ideal was the timing/sequence of this change.”
Public consultation should have come first, followed by the testing of alternative methods, then a deployment of alternative method(s) followed by, finally, the possible unmasking of NRIC numbers.
“A moratorium or halt to changes should be considered until a full public consultation is done. Even if a full public consultation is not feasible, at least a consultation with fraud and cybersecurity experts should be done.”
The Crux of the Issue
At this point, most of us have probably read enough think pieces to understand the difference between masked and unmasked NRIC numbers, as well as the difference between identification and authentication.
But perhaps the lesson for ACRA, the government, and any entity with control over information is that this isn’t just a protocol issue. It’s also about privacy and trust.
We now know that even ACRA’s old policy of publishing masked NRIC numbers for free on its Bizfile portal wasn’t really that safe. If people really wanted to, it would be easy to deduce someone’s full NRIC number from the masked one. And if people really, really wanted to, they could part with some cash to obtain someone’s NRIC number, among other information.
But it’s only natural to be upset when you feel your privacy has been compromised, and your personal information has been shared casually.
The fact is that from December 9th, when the new Bizfile portal was launched, to December 13th, the full NRIC numbers of anyone registered with ACRA were available for free. No extra steps needed. That’s not insignificant, especially at a time when it is still possible to misuse NRIC numbers.
Before organisations overhaul their security systems and come up with stronger authentication measures, lots of us are going to have to be extra vigilant.
Our NRIC numbers aren’t as sensitive as we thought. We, however, are.
But maybe we have a good reason to be.
