Does PDPC’s position on NRIC misuse conflict with SingPass practices?

Date:

Box 1


The Personal Data Protection Commission (PDPC) recently clarified that National Registration Identity Card (NRIC) numbers should not be used for authentication purposes, describing them as identifiers, not secrets.

Box 2

This guidance, which aligns with the Ministry of Digital Development and Information (MDDI)’s statement on 13 December, follows public backlash over the unmasking of NRIC numbers on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile platform.

However, the PDPC’s position stands in stark contrast to practices like SingPass, Singapore’s government authentication service, which uses NRIC numbers as the default login ID.

While users can change their login ID, as the option was made available in 2015, many, particularly seniors and less tech-savvy individuals, continue to use their NRIC numbers out of habit, leaving them vulnerable to exploitation.

Scams enabled by Publicly Accessible NRICs

Box 3

The risks associated with exposing full NRIC numbers are further exacerbated by scams targeting unsuspecting individuals, as highlighted in the case of Gina Tan, reported by The Straits Times.

The Gina Tan case underscores how publicly available NRIC numbers can be weaponised to deceive vulnerable individuals.

Tan’s mother, an elderly individual, was targeted by a scammer posing as an Interpol officer. Armed with her full NRIC number and address, the scammer convinced her mother of their legitimacy, nearly tricking her into disclosing sensitive financial information.

Box 4

This incident highlights a troubling reality: when NRIC numbers are publicly accessible, unsuspecting seniors—already frequent targets of scams—are unlikely to question a caller who knows their unique identifier. For many elderly individuals, such details lend credibility to fraudulent claims, making them more likely to fall victim.

ACRA’s unmasking of NRIC numbers on its Bizfile platform only heightens this risk. Although ACRA disabled the search function after public backlash, the temporary availability of NRIC numbers raises questions about the safeguards needed to prevent similar scenarios in the future.

The Tan Kin Lian Parallel

This issue also intersects with the 2019 case of Tan Kin Lian, a former presidential candidate and former CEO of NTUC Income, who publicly disclosed his NRIC number online.

Shortly after, an unknown individual repeatedly attempted to log into his SingPass account using his NRIC as the login ID, locking him out after six failed attempts.

At the time, Mr Tan described the incident as a loophole that could be exploited to harass individuals. “All it needs is for someone to have the NRIC number and make six attempts to get the SingPass account blocked,” he said.

While SingPass requires two-factor authentication (2FA) for access, the use of NRIC numbers as default login IDs ties them into the authentication process, creating vulnerabilities when identifiers are publicly known.

ACRA’s Bizfile and SingPass: Conflicting Practices

The PDPC has explicitly stated that NRIC numbers are unsuitable for authentication purposes. “A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be… The NRIC number is not a secret and should not be used by an organisation for authentication purposes,” the commission emphasised.

Yet SingPass defaults to using NRIC numbers as login IDs, embedding them into its authentication mechanism. While users can opt to change their login ID, many do not, exposing them to risks such as unauthorised account access or phishing.

ACRA’s temporary unmasking of NRIC numbers further amplifies these risks. If NRIC numbers can be publicly accessed, as they were through Bizfile, scammers can weaponise this information, making it easier to deceive seniors or disrupt accounts like SingPass.

Inconsistent policies and lack of accountability

The contrasting positions between PDPC’s recommendations and the practices of SingPass and ACRA highlight inconsistencies that undermine public confidence in data protection policies.

Scams targeting seniors, such as the Gina Tan case, illustrate the real-world consequences of exposing NRIC numbers. Many elderly individuals may not realise their NRICs are publicly available or understand the risks of sharing such information. This leaves them vulnerable to scammers who exploit their trust in authorities or official-looking communications.

Similarly, incidents like Tan Kin Lian’s demonstrate how the integration of NRIC numbers into authentication systems like SingPass can be misused for harassment or malicious intent.

If NRIC numbers are unsuitable for authentication, as the PDPC asserts, then systems like SingPass must shift away from using NRICs as default login IDs. Public-facing platforms such as ACRA’s Bizfile must also ensure that sensitive identifiers are never made publicly accessible without stringent safeguards.

The government must urgently address these inconsistencies. This includes ensuring that PDPC’s recommendations are uniformly adopted across all agencies and engaging in robust public education campaigns to inform seniors and vulnerable groups about the risks associated with NRIC misuse.

Moreover, ACRA’s decision to roll out its new Bizfile platform without public consultation, prior announcement to the general public, and ahead of revisions to existing regulations is both irresponsible and questionably legal.

That ACRA faces no penalties for this lapse is due only to its exemption from the Personal Data Protection Act (PDPA), a privilege that highlights a glaring gap in accountability.

Until these issues are resolved, the gap between policy and practice will continue to expose Singaporeans to preventable risks, while eroding trust in the country’s data protection framework.

For sensitive identifiers like NRIC numbers, the stakes are too high for such lapses to go unchecked.



Source link

Box 5

Share post:

spot_img

Popular

More like this
Related

Battling Militants Backed by Islamic State in Mozambique

For more than seven years, an insurgency backed...

Key trading trends to watch in 2025: insights by global broker Octa

KUALA LUMPUR, MALAYSIA – Media OutReach Newswire...

Italian Justice Ministry Moves to Release Iranian Man Sought by the U.S.

Italy’s justice minister has requested the revocation of...

Man arrested for urinating near MRT station escalator; police investigating

A 41-year-old man has been arrested for public...