PUBLISHED ONJanuary 08, 2025 8:30 AMByClaudia TanOver 500,000 searches were made on Accounting and Corporate Regulatory Authority's (Acra) Bizfile platform from Dec 9 to 13 when individuals' full NRIC numbers were made available.
This figure is much higher than the usual daily traffic of 2,000 to 3,000 queries, said Second Minister for Finance Indranee Rajah on Wednesday (Jan 8).
Most of these queries were made on Dec 13, a day after news of the new Bizfile platform broke, she said.
In a ministerial statement during Wednesday's Parliament sitting, Indranee addressed questions filed by MPs on the disclosure of NRIC numbers on Acra's Bizfile platform.
On Dec 9, Acra launched its new Bizfile platform, which had a search function which produced people's full NRIC numbers with their names.
The People Search function was disabled on Dec 13 night, after the public raised concerns about the implications of unmasking NRIC numbers.
Acra resumed the service on Dec 28, which no longer shows individuals' NRIC numbers, masked or unmasked.
Investigations so far show that these searches came from about 28,000 IP address, most of which were from Singapore.
The authorities, however, were not able to identify the exact number of NRIC numbers that were disclosed, she said.
This is because the Bizfile portal is unable to track individual queries for the People Search function.
Acra and GovTech also conducted a security review and did not uncover any known threat actors from the IP addresses that were used to make enquiries on the Bizfile platform during the five-day period.
Indranee reiterated that Acra's database does not contain information on all Singapore citizens — only those who are involved in Acra-registered entities.
[[nid:712705]]
In July 2024, the government issued a circular instructing all government agencies to stop using NRIC numbers as authenticators or passwords and to stop the use of masked NRIC numbers in new processes and digital services.
"Acra understood the directive to mean that it had to unmask, and display in full, the NRIC numbers in the People Search function on the Bizfile portal," Indranee said.
Following internal deliberations about the risks of unmasking NRIC numbers, Acra sought clarification from Ministry of Digital Development and Information (MDDI) on whether they were required to unmask NRIC numbers on the new Bizfile portal.
"However, due to a lapse in co-ordination between MDDI and Acra, Acra continued to understand, mistakenly, that the directive to cease the use of masked NRIC numbers in new digital services required Acra to unmask, and disclose in full, the NRIC numbers," she said.
It was not the government's intent for agencies to make NRIC numbers in their possession "widely and easily accessible", Indranee stressed.
Following the incident, a review panel has been set up to investigate the root cause of the incident, said Indranee.
Led by Head of Civil Service Leo Yip, the panel will review the government's policy on the responsible use of NRIC numbers as well as the disclosure of full NRIC numbers on the People Search function on Acra's Bizfile platform.
"For both matters, the panel will study what happened, how the decisions were made, the implementation and communication processes, the co-ordination across public sector agencies, and where the Government should have done and can do better," she said.
The panel also includes permanent secretaries who are not involved in the NRIC policy or the incident, as well as the permanent secretaries of the Ministry of Finance, which oversees Acra and MDDI. It will report to Senior Minister Teo Chee Hean.
The panel is expected to complete its findings in February, which will subsequently be shared with the public.
[[nid:712707]]
claudiatan@asiaone.com
