Over 500,000 searches made in 5-day period when Acra’s new Bizfile portal had full NRICs available

SINGAPORE - More than 500,000 searches for individuals were made on the Bizfile portal during the five-day period from Dec 9 to 13 when full NRIC numbers were made available.

This is much higher than the usual daily traffic of 2,000 to 3,000 queries made through the portal’s free People Search function, said Second Minister for Finance Indranee Rajah in Parliament on Jan 8, citing investigations thus far.

The new Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (Acra), was launched on Dec 9. Members of the public began voicing their concerns about the disclosure of the NRIC numbers on Dec 12.

The authorities temporarily disabled the search function on the night of Dec 13.

Ms Indranee said the bulk of the queries on the new portal were made on Dec 13. These came from an estimated 28,000 IP addresses, most of which were from Singapore, she added.

She was responding in a ministerial statement to questions from MPs on the incident, which had unfolded in mid-December.

Ahead of the sitting in January, MPs including Mr Dennis Tan (Hougang) and Dr Tan Wu Meng (Jurong GRC) had asked about the number of searches conducted, the number of distinct users who conducted the searches, as well as the number of NRIC numbers that were disclosed before the search function was disabled.

They also asked about the risk that NRIC numbers had been accessed by malicious actors.

In response, Ms Indranee said the authorities are unable to identify the exact number of NRIC numbers disclosed through the queries, as the Bizfile portal is not configured to track individual queries for its People Search function.

She added that Acra and GovTech had conducted a security review and identified that the security feature in the People Search function, designed to distinguish between human users and computer bots, was “not working as intended”.

This has since been fixed, she said.

“Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between Dec 9 and 13, 2024,” said Ms Indranee.

Following the incident, Acra is reviewing how its People Search function can be improved, she said.

For example, it is considering the rollout of additional search parameters, such as the Unique Entity Number (UEN) of the entity with which the individual is associated.

The People Search service has since resumed on Dec 28, with search results no longer showing any NRIC numbers, whether masked or unmasked.

Ms Indranee stressed that Acra’s database does not contain information on all Singapore citizens, but only on individuals who are or have been involved in Acra-registered entities.

These include companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.

She also laid out steps that those worried that their NRIC numbers had been accessed can take to protect themselves.

First, they should ensure their NRIC numbers are not used as a password for any of their digital accounts, and change it as soon as possible if so.

Second, they should not use their NRIC numbers for authentication.

Third, they should not assume someone to be a legitimate authority even if they know their NRIC number.

“Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks,” she said.

https://www.straitstimes.com/singapore/politics/over-500000-searches-made-in-5-day-period-when-acras-new-bizfile-portal-had-full-nrics-available

Folks are now baying for Jo Teo's blood🤭

https://www.change.org/p/resignation-of-digital-development-cybersecurity-minister-josephine-teo

Since one's NRIC no. ain't a secret no more, here's Lee Hsien Loong's.

ACRA’s current chief executive Chia-Tern Huey Min has been on the job for only 9 months thus far?

Appearing genuinely contrite is an art form she has yet to master. Try harder next time, Jo Cunt.

Look what I just leeceived:

A torrid December for the PAP: transparency, trust, and truth under scrutiny

One teenage rite of passage for Singaporeans is the process of registering for a national registration identity card (NRIC), a physical manifestation of the bond between state and citizen. An adult rite is the act of moving into your own space. The sense of pride, safety and trust through citizenship under a forward-thinking and responsive government, alongside access to affordable housing in a fair and equitable market, have been two quintessential elements of being Singaporean since independence. Yet, two separate incidents in the past week have exposed their respective decay. And together they point to the increasing incompetence and short-sightedness of the ruling People’s Action Party (PAP).

First was the revelation that society should no longer consider NRIC numbers as sensitive and private. Consider the relationships the card mediates between an individual and others, between one’s personhood and the imagined community and state. On each person’s NRIC is printed a name, race, date of birth, sex, address, and an identity number. The NRIC accompanies one throughout life—school, employment, banking and telco services, office visitor registration—in the process reifying the markers through which the state gazes and the gaze is felt. 

The only really unique identifier on the NRIC is the eight-digit alphanumeric. Guard it, keep it safe, utter its digits only when necessary. In 2018, the Personal Data Protection Commission (PDPC) announced that from September 2019, organisations would generally not be allowed to unnecessarily collect, use, or disclose the number where the law does not require it. (The government was exempt.) Among other warnings in its advisory guidelines, PDPC said: “Indiscriminate or negligent handling of NRIC numbers increases the risk of unintended disclosure with the result that NRIC numbers may be obtained and used for illegal activities such as identity theft and fraud.” The NRIC number is sacred, Singaporeans concluded.

We were wrong. Let’s recount the events that led to yesterday’s extraordinary press conference. Last Thursday, Bertha Henson, a former journalist turned acerbic social media commentator, revealed the ease with which a visitor to the Accounting and Corporate Regulatory Authority (ACRA) website could access Singaporeans’ NRIC numbers.

A security flaw? Don’t be silly. It was all part of the plan. On Saturday, the Ministry of Digital Development and Information (MDDI), which manages PDPC, said that it had always intended to “unmask” NRIC numbers, “after explaining the issue and preparing the ground”. Masking had apparently offered a false sense of security about the numbers. But before the government had had a chance to conduct “a public education effort”, ACRA had acted preemptively by updating its Bizfile system. “As a unique identifier, the NRIC number is assumed to be known, just as our real names are known.” Duh. Why would you think otherwise?

The patronising tone suggested, once again, that we are daft subjects led by rulers light-years ahead. There was an apology for ACRA’s mistake, but not a hint of contrition about the mixed messaging.

PDPC, 2018: NRIC numbers obtained can be used illegally for identity theft and fraud.MDDI, 2024: Your NRIC number, like your name, is assumed to be known by all.

Ironically, for a statement arguing for transparency with one’s name and NRIC number, not a single civil servant or politician put their name to it. “[T]o be attributed to MDDI spokesperson,” it said, in the typically cold, Orwellian, cover-backside language of late-stage PAP. Across social media, many Singaporeans said they felt gaslit. 

In digital security parlance, the two relevant concepts are Identification (Who are you?) and Authentication (Are you who you say you are?). The NRIC number should ideally fulfil only the former—think of it as your digital name—but not the latter, which is perhaps best served by biometrics such as fingerprints. Unfortunately, partly because of Singapore’s inconsistent approach to digital security, individuals and organisations may still be using it for both Identification and Authentication, something alluded to on Monday by Ho Ching, former boss of Temasek, in her otherwise chest-thumping apologia for this brouhaha. (Unlike her elected comrades at the PAP, the unelected Ho is, pity our ears, not shy one.)

This incident has unleashed a wave of fear across society. Have hackers now gained access to Singaporeans’ NRIC numbers? Has it become easier to produce fake Singaporean NRICs? Can others access your housing, banking, and telco records with your NRIC number? Are Singaporeans, already prone to scams, now at even greater risk? What are the implications for Singpass, which partly relies on one’s IC number? (Ho’s son, Li Hongyi, was until recently director of Singpass.) Private sector businesses, who’ve invested in IT security to ensure their customers’ NRIC numbers are protected, must be fuming at the apparent double standards.

This debacle has also, perhaps more than any other in recent memory, exposed the tepidness and obsequiousness of Singapore’s mainstream media (MSM). First, it took a citizen journalist earning nothing to expose potential harm, another sign that highly paid MSM editors are blinkered when it comes to journalism involving their political paymasters. Even after Henson pointed it out, the MSM hasn’t properly called out the government’s 2018 to 2024 flip flop, instead mostly regurgitating MDDI talking points. 

Meanwhile, last Saturday The Online Citizen reported that the PDPC had removed the PDF of its 2018 guidelines altogether from its website, citing the need for “updates”. Soon after, the doc was again available, with the briefest of acknowledgements about recent events, indicating that an update is on the way, but in the meantime the prevailing guidelines still apply. And thus the 2018 PDPC - 2024 MDDI contradiction remains. Damage control, like the entire botched unmasking journey that precipitated it, has shown “Whole of Government” to be camouflage for Hole in Government.

It’s the biggest challenge thus far facing Lawrence Wong, new prime minister, and his 4G leadership team. Yesterday late afternoon, almost four days after Ho first spoke, they finally got their heads out of the sand. A press conference featured: Josephine Teo, MDDI’s embattled minister already reeling from numerous public gaffes; Indranee Rajah, second minister for finance; and Chia-Tern Huey Min, ACRA’s boss.

The blame, of course, fell on ACRA and Chia-Tern—misunderstanding an earlier MDDI circular, about ceasing the use of masked numbers, to mean it’s okay to expose them fully. Teo clarified what she sees as “two levels” of confusion in society: the unmasking is actually an internal government imperative but not one for the private sector; and guidelines for the private sector haven’t changed since 2018. She didn’t address the glaring contradiction in messaging that remains. As we have come to expect, she delivered long word-salad explanations, and non-apologies that seemed more to chide citizens for their anxiety and confusion.

What’s still unclear, however, is the universe of Singaporeans whose NRIC numbers were exposed through ACRA. Henson’s initial posts, verified by readers, suggested that even Singaporeans without any business dealing were on the database. A Business Times article last Friday morning said they are “likely [emphasis added] to be shareholders or directors” of locally registered firms. Yesterday Chia-Tern, reading from a script, said that only “company directors and shareholders” are involved; while Indranee, also reading from a script, said that it’s limited to people who “had made a filing with ACRA to become a company director or already are a company director”. Which is it? Lagi confusion.

One might argue that there’s nothing surprising about arrogance, elitism, flip-flopping, obfuscation, and media sycophancy in the PAP’s Singapore—voters will just suck it up. Yet a key part of our social compact—trading in civil and political liberties for growth and stability—was the blind faith that the PAP would always keep us safe. This can no longer be taken for granted. In an era of rampant identity theft globally, and in a country with a patchy record for digital security, this NRIC incident is a colossal failure.

Separately on Monday, in an incident that also sheds light on identity and transparency, two ministers, K Shanmugam and Tan See Leng, threatened legal action over a Bloomberg article about transactions of so-called good class bungalows (GCBs), the most premium segment in Singapore’s property market. For those worried about the huge recent influx of foreign wealth into our tiny city—with all its implications for inequality, cost of living, and possible financial improprieties—the revelations were damning.

The value of GCBs transacted this year was at least an eye-watering S$1.1bn. Almost half of them by value didn’t include legal filings that would offer transparency on the owners’ identities and other details. Many of these exorbitant mansions have been snapped up by naturalised Singaporeans originally from China. For instance, the year’s biggest deal saw Xiang Yangyang, daughter of Chinese nickel billionaire Xiang Guangda, buying a 2,612 sq m (28,115 sq ft) property for S$84m—an astronomical profit for its (unnamed) seller, who paid S$37.6m for it in 2020. The three PAP ministers mentioned in the article are Shanmugam, Tan, and Mah Bow Tan, a former minister who sold his mansion for S$50m to a China-born Singapore citizen last year.

The inequity of housing and space is an increasing liability for the PAP. The euphoria felt by millionaire landowners in a frothy GCB market contrasts sharply with the financial anxiety that grips those in the public housing market. (Depicted by Jonathan Lin in “Affordability in the lion city: is Singapore’s public housing model built to last?”) Rich Singaporeans who own private freehold properties, including all those GCBs, will be able to pass them onto their kids (with no inheritance tax), their values presumably rising perpetually. Most of the other Singaporeans who own 99-year leasehold properties—the vast majority of homeowners—effectively own assets whose values will rise but then start to decline, and will eventually be worth nothing. 

In a Facebook post, Shanmugam said that Tan and him would be taking action against Bloomberg and “others who have also published libellous statements about those transactions”. We’ll eventually find out details of the alleged libel, though the Bloomberg article remains live at the time of writing. 

The risk for Shanmugam and Tan is with optics: some Singaporeans might wonder if they are trying to mask any alleged business dealings. Unlike many democracies, Singapore does not require public asset declarations from its politicians. In the wake of the NRIC incident, one meme poked fun at the inanity of what’s considered classified here: every Singaporean’s NRIC number can be revealed, apparently, but not Ho’s then salary at Temasek. 

Shrouded in secrecy too, of course, are the identities of buyers of many plum properties. Through the government’s Integrated Land Information Service (INLIS), one can obtain property ownership and other land information—but not if, for instance, the buyers have used shell companies or trusts to hide their identities, as Bloomberg said more are doing. Who in this country has the right to privacy, to be obscured, to be forgotten? Why can some linger at the dark edges of what Kimberly Kay Hoang called Spiderweb Capitalism? Some identities are seemingly more sacred than others.

Shanmugam and Tan’s current legal action could thus be perceived negatively, particularly given the broader global push for greater financial transparency. There’s a risk that they themselves drift closer, in the public’s eye, to the plutocrats that the PAP has so assiduously courted over the years.

Are PAP ministers more concerned about the interests of this global elite or ordinary Singaporeans? With which group do they have more in common? These questions have been slowly percolating through society since the PAP fully embarked on its global city drive in the 2000s. Amidst the class angst is a growing sense of disaffection with leaders. None of this portends a significant swing away from the PAP at the next general election, due by November 2025. The Singaporean voter is notoriously risk-averse, picking up on PAP iniquities and smarting from its condescension between elections, only to fall back into its presumed protective embrace at the next ballot.

Power, as we know, will never relinquish its grip quietly. Following Shanmugam’s post was one from Calvin Cheng, a former nominated member of Parliament who, like Ho, is a dependable social media apparatchik. Cheng said he’s “upset that foreign media is sowing discord in Singapore” by “inciting class envy” and “inciting anti foreigner sentiment”. Cheng blamed Bloomberg for spreading “conspiracy theories”.

It’s an old trick. In a grossly unequal society, the powerful will deploy rabble-rousing language in the hope that nationalist fervour blinds people to the existing structural injustices, numbs them from the unrelenting stress of holding up a system whose spoils are unevenly shared. Perhaps the most telling statement in the article was from a senior lawyer, who told Bloomberg that some Chinese buyers are exploring purchases with the “anticipation of obtaining Singapore citizenship in the very near future.” This is a week, then, that actually sharpened the contours of that nebulous Singaporean identity. One day, the number you were assigned is sacred; the next, it’s everybody’s business. One day citizenship, belonging, and the very earth on which we stand are protected; the next, they’re possibly up for sale to the highest bidder.

From the land that binds us to our past to the digital realm where our future lies, Singaporeanness is very much about forgoing your personhood and submitting yourself to the whims of an impersonal, global, capitalist order. We’re each but a droplet tossed and turned in the turbulent ocean of financial liquidity. 

Your rites of passage, it turns out, are really not about you.

https://www.jom.media/a-torrid-december-for-the-pap-transparency-trust-and-truth-under-scrutiny/

I would be worried if Josexfiend Teo is actually good-for-something

https://www.theonlinecitizen.com/2024/12/20/governments-backtracking-on-nric-unmasking-and-the-miscommunication-excuse/

The Ah Longs ain't gonna be too happy about this NRIC unmasking affair either :P

An independent COI must be convened ASAP to determine how this FUBAR erupted ever so "spectacularly".

Looks like she will be taking home the 最佳女主角 accolade once again next year 🏆

See? That wasn't so difficult was it? 😎

Apology not accepted, please go commit harakiri right away.

PAP enacted the Personal Protection Data Act in 2012, yet backtracks and now wants to pursue data UNPROTECTION for the masses, really is ownself slap ownself

www.channelnewsasia.com

People raised privacy concerns after the new Bizfile portal published people's full NRIC numbers for free in its search results. ACRA had moved ahead with the unmasking before the government's education campaign, say authorities.