SINGAPORE: Over 500,000 searches for individuals were conducted on the Bizfile portal during the five-day period from 9 to 13 December 2024, when full NRIC numbers were made available.
This significantly exceeded the usual daily traffic of 2,000 to 3,000 queries, said Second Minister for Finance Indranee Rajah in Parliament on 8 January 2025, citing investigations.
The new Bizfile portal, managed by the Accounting and Corporate Regulatory Authority (Acra), was launched on 9 December.
Members of the public began voicing concerns about the disclosure of NRIC numbers on 12 December, prompting authorities to temporarily disable the search function on the night of 13 December.
Ms Indranee revealed that the bulk of the queries were made on 13 December, originating from approximately 28,000 IP addresses, most of which were from Singapore.
She was responding in a ministerial statement to questions from MPs, including Hougang SMC MP Dennis Tan and Jurong GRC MP Dr Tan Wu Meng, regarding the number of searches conducted, distinct users involved, NRIC numbers disclosed, and potential risks posed by malicious actors.
Ms Indranee explained that the authorities could not determine the exact number of NRIC numbers disclosed as the Bizfile portal was not configured to track individual queries in its People Search function.
A security review conducted by Acra and GovTech found that the portal’s security feature, meant to distinguish between human users and computer bots, was “not working as intended.” This issue has since been resolved.
“So far, we have not uncovered any known threat actors, based on the IP addresses used to make the People Search queries during the period,” Ms Indranee said.
Following the incident, Acra is reviewing the People Search function and considering additional search parameters, such as the Unique Entity Number (UEN) of associated entities.
The service resumed on 28 December with search results no longer displaying NRIC numbers, whether masked or unmasked.
Indranee also emphasised that Acra’s database only contains information on individuals associated with Acra-registered entities, such as companies, partnerships, and non-profit organisations, and not on all Singapore citizens.
She outlined steps for those concerned about their NRIC numbers being accessed:
- Ensure their NRIC numbers are not used as passwords for digital accounts and change them if necessary.
- Avoid using NRIC numbers for authentication purposes.
- Verify the identity and intent of anyone claiming to be an authority, even if they know one’s NRIC number.