NRIC numbers can be used to reveal home address, clinic records

SINGAPORE - Individuals whose full NRIC numbers were exposed on the Accounting and Corporate Regulatory Authority's (Acra) database earlier in December face potential cyber-security risks, as organisations frequently rely on NRIC numbers to retrieve personal information.

Checks by The Straits Times also found that NRIC numbers can serve as a key to collecting information about individuals, which can be used for targeted scams or mischief.

Cyber-security experts cautioned that NRIC numbers can be used by bad actors to trick victims into believing they are authority figures or to commit crime. The exposed NRIC numbers can also be used to collect further information for scams.

The experts said the risks highlight how an NRIC number in the wrong hands can pose risks to individuals, who need to be vigilant against scams, even as changes in how NRIC numbers are used in the private sector are afoot.

The concerns come after NRIC numbers belonging to key representatives of companies registered under Acra's database were revealed by mistake on its new Bizfile web portal on Dec 9. As a result, anyone could freely search and view the full NRIC numbers of registered individuals, including business' public representatives - some of whom are also politicians.

Acra apologised for the incident and disabled the feature on Dec 13, but experts said fraudsters could still use simple algorithms to collect the NRIC numbers exposed during this window at scale, increasing the threat of scams.

Acra said the incident was caused by a misunderstanding of an internal message distributed by the Ministry of Digital Development and Information (MDDI) some time in 2024, which informed agencies of plans to move away from the use of masked NRIC numbers for better security.

It did not reveal how many NRIC numbers were exposed during the incident.

The authorities are accelerating public education efforts on the use of NRIC numbers and consultation with the private sector on their use, said Minister for Digital Development and Information Josephine Teo at a press conference on Dec 19.

In the meantime, she urged private-sector organisations to stop relying on NRIC numbers as proof that a person is who he or she claims to be, such as to authenticate fund transfers.

Leaked NRIC numbers a key to personal data

Organisations are still relying on NRIC numbers as a key to retrieve personal data.

At e-kiosks in local healthcare institutions, checks by ST in the past week have found that entering an NRIC number can reveal its owner's registered address, contact number, recent appointment records and medical bills.

Bad actors could potentially cause mischief by cancelling appointments or collecting prescriptions fraudulently, said cyber-security expert David Siah, executive vice-president of South-east Asia-Australia at the Centre of Strategic Cyberspace + International Studies, a London-based think-tank.

Privacy Ninja co-founder Andy Prakash said such information can make scams more convincing, as fraudsters can include more unique details, such as a person's medical condition.

Scammers are unlikely to collect such information at scale due to the presence of security cameras and the difficulty in ensuring if an individual is a patient there, but the information can be used in a one-off targeted attack against specific individuals, he said.

The Registry of Marriages, a national database, allows users who have logged in via national authentication tool Singpass to look up to whom an individual is married. Users are limited to two free searches a year.

Some banks accept NRIC numbers to quickly identify customers who need help to block transactions, as a measure to thwart scams.

Such a feature has surfaced a debate on the balance between security and convenience, in the light of a report on Dec 9 that a couple's credit cards were blocked while they were on holiday after an impersonator used their NRIC numbers and personal details to freeze their accounts.

[[nid:712707]]

Local banks said the ability of quickly freeze an account is part of their protocol and an important anti-fraud measure.

For other requests, banks typically require callers to identify themselves by entering their NRIC numbers during the call, followed by a one-time password sent to their phone before services or privileged information are provided.

Calls by ST found that transactions over the phone are limited to fund transfers between the customer's own accounts with the bank and not to anyone else for security purposes.

Insurance companies are known to lock documents sent to customers behind automated passwords made of a combination of a customer's birthdate and partial NRIC number.

Local banks and insurers are reviewing their use of NRIC numbers and may change their practices soon.

MDDI told the media on Dec 19 that full NRIC numbers should be used only in situations requiring higher authenticity checks, such as during hotel check-ins, medical appointments and subscribing to a new phone line. They should not be used to sign up for retail memberships or lucky draws, among other scenarios.

Cyber-security consultant Shane Chiang from Momentum Z said much of the onus lies on organisations to shore up cyber-security measures and ensure that NRICs are no longer relied on for authentication. NRICs should be used only for identification purposes, he said, adding that individual vigilance is vital during this transition.

Individuals should enable two-factor authentication on online services and anticipate targeted phishing attempts, which are likely to be more convincing when more personal data is exposed.

Mr Chiang added: "Individuals should verify the legitimacy of communications before sharing further personal information or engaging with unfamiliar parties."

ALSO READ: Govt apologises for causing anxiety, confusion over unmasking of NRIC numbers