'We are very sorry': Government apologises for confusion, anxiety over NRIC unmasking saga
SINGAPORE: The government apologised to the public on Thursday (Dec 19) for the saga over unmasking National Registration Identity Card (NRIC) numbers.
“We are very sorry to have caused them much anxiety,” said Minister for Digital Development and Information Josephine Teo at a press conference, adding that the public’s concerns are taken seriously.
“We had wanted to give them better protection, and this required a change in our policy involving the use of NRIC numbers, because the current situation leaves us vulnerable.”
The government had intended to make the change only after explaining to citizens the rationale but before it could do so, the Accounting and Corporate Regulatory Authority (ACRA) went ahead and launched its Bizfile portal, with a search function that produced people's names and full NRIC numbers.
“On behalf of ACRA, I would like to apologise for causing anxiety and concerns to members of the public over the disclosure of NRIC numbers on our Bizfile portal,” said ACRA’s chief executive Chia-Tern Huey Min.
LAPSE OF COORDINATION
Mrs Chia-Tern said the Ministry of Digital Development and Information (MDDI) had in July “issued a circular for government agencies to cease any planned use of masked NRIC numbers in new business processes and services”.
This was part of a wider government effort to uphold the use of NRIC numbers as a unique identifier, and to move away from the use of masked NRIC numbers, which provides a false sense of security, she said.
“Unfortunately, there was a lapse of coordination between the staff on how this was to be implemented. ACRA then proceeded on the misunderstanding that it should unmask NRIC numbers in the new Bizfile portal,” explained Mrs Chia-Tern.
Acknowledging the mistake and oversight on ACRA’s part, she reiterated her apology for the anxiety and confusion caused to the public.
“As the owner of the Bizfile portal, ACRA should have been more mindful that many Singaporeans have long treated their NRIC numbers as private and confidential information, and would not want to have their full NRIC numbers searchable on the new portal,” said Mrs Chia-Tern.
“We should also have taken more deliberate care to ensure that such information, deemed sensitive by many, is provided only when needed.”
As Singapore's national business registry, ACRA has to keep an accessible repository of information on business entities and the people behind them to facilitate due diligence checks, she said. This ensures corporate transparency and guards against illicit activities.
Second Minister for Finance Indranee Rajah emphasised that the shift in policy does not mean that all masked NRIC numbers will necessarily become unmasked.
“That's exactly what ACRA thought too, so I'm just trying to illustrate that that’s how the error occurred,” she said.
LEARNING FROM THIS EPISODE
“ACRA will learn from this lesson and tighten our systems and processes,” said Mrs Chia-Tern, adding that the search function in question has already been disabled.
Ms Indranee, who is also Minister in the Prime Minister’s Office, said that the authorities do not take this incident lightly.
“MOF (Ministry of Finance) and ACRA will learn from this episode and setback,” she said.
“We are thoroughly reviewing the incident to identify areas where we should have done and can do better, including improving the communication and coordination between agencies, and the features of our digital services.”
In response to a CNA question on whether any action will be taken towards staff from ACRA or any other agency found responsible for this lapse, Ms Indranee said it would be “premature at this stage to say whether anything is going to happen to the particular staff in question”.
“You must remember, this is an instance of a misunderstanding. And I think one has to ascertain exactly how that came about and have a look at the full facts, before deciding on what, if anything, needs to be done,” she said.
COMMUNICATING WITH THE PUBLIC
Ms Indranee also addressed the speed of the authorities’ public response, noting the five-day gap from when the first media statement was put out after the incident broke.
Before Thursday’s press conference could be convened, more thorough checks had to be done all the way down to the staff level, as the situation occurred suddenly and also involved multiple parties, with two ministries and one agency, she said.
“So it does take a little bit of time, and that's why there's a bit of a gap. Obviously, if we can do it faster, that would be ideal, but that is the reason why there is a bit of a gap between the earlier statement and this,” said Ms Indranee.
She said that the original plan to roll out the policy shift was to have “a phased out sequence with the proper communications”.
“But what happened in this instance is that, because of a misunderstanding, the numbers inadvertently got put out, then it became an issue, and then everything got accelerated,” she said.
Ms Indranee said the government will do its best to consult, explain, take feedback and communicate with the public in the proper sequence and as quickly as possible.
However, when unintended disruptions to communications plans come along, as with the ACRA incident, “what's very important is to be able to let all of you know what happened, and also to express our sincere regrets and apologies that it happened, and to reassure people on this”, she said.
Mrs Teo said the incident was “really unfortunate” as it arose out of a misunderstanding.
“If things had gone according to plan, we would have had the chance to do the proper communications. And that is just really something that should not have happened, but it did happen, and for which we are very sorry.”
Over 500,000 searches made in 5-day period when Acra’s new Bizfile portal had full NRICs available
SINGAPORE - More than 500,000 searches for individuals were made on the Bizfile portal during the five-day period from Dec 9 to 13 when full NRIC numbers were made available.
This is much higher than the usual daily traffic of 2,000 to 3,000 queries made through the portal’s free People Search function, said Second Minister for Finance Indranee Rajah in Parliament on Jan 8, citing investigations thus far.
The new Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (Acra), was launched on Dec 9. Members of the public began voicing their concerns about the disclosure of the NRIC numbers on Dec 12.
The authorities temporarily disabled the search function on the night of Dec 13.
Ms Indranee said the bulk of the queries on the new portal were made on Dec 13. These came from an estimated 28,000 IP addresses, most of which were from Singapore, she added.
She was responding in a ministerial statement to questions from MPs on the incident, which had unfolded in mid-December.
Ahead of the sitting in January, MPs including Mr Dennis Tan (Hougang) and Dr Tan Wu Meng (Jurong GRC) had asked about the number of searches conducted, the number of distinct users who conducted the searches, as well as the number of NRIC numbers that were disclosed before the search function was disabled.
They also asked about the risk that NRIC numbers had been accessed by malicious actors.
In response, Ms Indranee said the authorities are unable to identify the exact number of NRIC numbers disclosed through the queries, as the Bizfile portal is not configured to track individual queries for its People Search function.
She added that Acra and GovTech had conducted a security review and identified that the security feature in the People Search function, designed to distinguish between human users and computer bots, was “not working as intended”.
This has since been fixed, she said.
“Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between Dec 9 and 13, 2024,” said Ms Indranee.
Following the incident, Acra is reviewing how its People Search function can be improved, she said.
For example, it is considering the rollout of additional search parameters, such as the Unique Entity Number (UEN) of the entity with which the individual is associated.
The People Search service has since resumed on Dec 28, with search results no longer showing any NRIC numbers, whether masked or unmasked.
Ms Indranee stressed that Acra’s database does not contain information on all Singapore citizens, but only on individuals who are or have been involved in Acra-registered entities.
These include companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.
She also laid out steps that those worried that their NRIC numbers had been accessed can take to protect themselves.
First, they should ensure their NRIC numbers are not used as a password for any of their digital accounts, and change it as soon as possible if so.
Second, they should not use their NRIC numbers for authentication.
Third, they should not assume someone to be a legitimate authority even if they know their NRIC number.
“Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks,” she said.
https://www.straitstimes.com/singapore/politics/over-500000-searches-made-in-5-day-period-when-acras-new-bizfile-portal-had-full-nrics-available