Instead of the full NRIC number, some organisations collect and use a partial NRIC number, usually the last four characters of the NRIC number. They think that this is safe and that revealing only the last four characters still keeps the full NRIC number secret. Among public agencies, even when the agencies had the full NRIC numbers, the use of masked NRIC numbers became more common.
Besides organisations, some individuals also started to use their NRIC numbers as their passwords. They did so under the impression that the full NRIC number is secret.
However, as shown by Dr Tan Wu Meng in his question, there are now algorithms that can be found online, that have made it easier to work out the full NRIC number from the partial or masked NRIC number. The easy availability of such algorithms means that the continued use of partial or masked NRIC numbers gives both organisations and individuals a false sense of security. This does not really keep the full NRIC number secret. This also makes the practice of using NRIC numbers as passwords even more inappropriate.
To the questions by Dr Tan, Mr Liang Eng Hwa and Ms Sylvia Lim, these developments led the Government to take steps to stop the incorrect uses of the NRIC number. This meant two things: one, not using the NRIC number as an authenticator; and two, moving away from the use of masked NRIC numbers, because it creates a false sense of security.
We knew this transition would take time. But it was better to start while the problem is relatively contained and for the Government to take the lead.
To the question by Ms Joan Pereira, we proceeded to ask agencies to stop using the NRIC number as an authenticator or as a password. We also asked agencies not to plan new uses, with a view to discontinuing existing uses of masked NRIC numbers eventually.
The lapse in coordination between agencies led to ACRA's misunderstanding and the disclosure of full NRIC numbers in the People Search function of its new Bizfile portal.
In hindsight, what we should have made clear was that moving away from the use of masked NRIC numbers did not mean automatically using the full NRIC number instead, in every case. At no point was our intention to disclose full NRIC numbers on a wide scale.
In place of masked NRIC numbers, in some instances, there would be no need for the NRIC number at all. In other instances, names alone or some other identifier would be sufficient. But there could also be instances where full NRIC numbers should be used, instead of masked NRIC numbers. Each case would have to be assessed and decided individually.
Members including Mr Leong Mun Wai, Mr Liang Eng Hwa, Mr Xie Yao Quan, Ms Jessica Tan, Mr Dennis Tan and Mr Pritam Singh have asked about the internal processes leading to ACRA's actions. Minister Indranee will say more about it in her Statement later and address Members' questions related to ACRA.
Miss Cheryl Chan asked why the efforts to change did not include the private sector. The Government knew that it would take time for public agencies to make the change. We expected that it would take even longer for the private sector because of long-standing practices and habits. The plan was therefore to change the internal practices of Government before moving to change practices in the private sector and non-profit organisations, which Ms Usha Chandradas asked about. We believed that doing so would allow us to better understand the implementation challenges and, as a result, facilitate a smoother transition in the private sector.
We had also planned to mount a major effort to help Singaporeans be aware of the risks and to support efforts to stop incorrect practices. The Bizfile incident was an unfortunate misstep which now means these plans need to be brought forward.
While we had taken steps to stop the incorrect uses of NRIC numbers in the public sector, we had not started implementation for the private sector. Mr Edward Chia, Mr Liang Eng Hwa, Ms Hazel Poa and Mr Xie Yao Quan have asked specifically what should be done in the private sector.
At this stage, we would advise private sector organisations to do two things: first, private sector organisations that are using NRIC numbers as a factor of authentication or as default passwords should stop this practice as soon as possible; and second, private sector organisations that presently collect partial NRIC numbers to identify people can continue to do so. The guidelines for the private sector have not yet changed and we will only consider how they should be updated after consulting the public.
To questions by Mr Xie Yao Quan, Mr Melvin Yong and Mr Sharael Taha, we aim to start consultations soon and will provide details when ready. Our initial soundings with the private sector suggest there can be different approaches. Some organisations currently using partial NRIC numbers can stop the practice and replace them with alternative means of identification such as mobile numbers or email addresses or drop them entirely. But there are also organisations that need to accurately identify persons and can justify the collection of full NRIC numbers even if they are not required by law. For example, preschool centres will prefer to collect the full NRIC numbers of visitors rather than just the mobile numbers; the parents will certainly feel more secure. In applications for and disbursements of substantial financial aid, persons would also need to be accurately identified.
We will take these considerations on board when updating the guidelines. In any case, I would like to assure Members like Ms Jean See and Mr Ong Hua Han that the Personal Data Protection Commission will support businesses in changing their authentication methods. This will include raising their awareness on why the use of NRIC numbers as a factor of authentication is unsafe and working through the Infocomm Media Development Authority and the Cyber Security Agency's programmes to help businesses review and adjust their practices.
