With algorithms that can guess or work out full National Registration Identity Card (NRIC) numbers available online, MP Tan Wu Meng called on the government to review its approach to data collection.
“Today, online bots can scrape thousands or even millions of data points if a search engine delivers the information quickly. There are scammers and hostile actors hoping to harvest every database they can get their hands on, anything with an API that can be accessed,” the Jurong GRC MP cautioned.
“There can be continued deep attention in the review to how in government e-services, we approach aggregates of data, especially when that data can be searched by the public or persons even from outside Singapore,” added Dr Tan.
According to Minister Josephine Teo, the easy availability of such algorithms means NRIC numbers can be easily guessed, even if masked.
The continued use of partial or masked NRIC numbers gives individuals and organisations a false sense of security.
This is why the government took steps to stop this kind of practice like the use of masked NRIC numbers while the problem was still relatively contained.
In parliament on Wednesday, Tin Pei Ling (MacPherson SMC), Chairperson of the Government Parliamentary Committee for Digital Development and Information, noted that Singaporeans are concerned about how their NRIC numbers can or cannot be used in scams or identity theft cases.
“What would be helpful is to share what kind of actions will be put in place to safeguard such information and prevent such misuses.”
Several MPs including Christopher de Souza (Holland-Bukit Timah GRC) also inquired about the government’s plan to mitigate risks of scams and identity thefts arising from the unmasking of NRIC numbers.
In response, Mrs Teo noted that scammers usually use NRIC numbers to give the impression that they are authority figures.
Yip Hon Weng (Yio Chu Kang SMC) wanted to know how the government would educate less tech-savvy individuals, particularly seniors, on the risks of misusing NRIC numbers. He suggested that the government consider utilising the Silver Generation Office or SG Digital Office to conduct house visits and explain these risks to seniors.
MPs concerned about private sector’s adoption of new practices
Xie Yao Quan (Jurong GRC) inquired whether the government would consider enhancing punitive measures against private entities for non-compliance in the improper use of NRIC numbers for authentication purposes.
Additionally, Cheryl Chan (East Coast GRC) questioned why the requirement to amend the use of NRIC as an identifier rather than an authenticator in the private sector was not considered earlier, given the strong push towards a digital-first society.
Ms Tin also asked about the government’s timeline for getting organisations to rectify their use of NRIC numbers for authentication.
Don Wee (Chua Chu Kang GRC) expressed concern about the disclosure of full NRIC numbers on the new Bizfile portal and its alignment with data protection policies under the Personal Data Protection Act (PDPA).
Ang Wei Neng (West Coast GRC) urged the government to conduct a comprehensive review of all Government portals to ensure compliance with data protection best practices.
A panel headed by Head of Civil Service Leo Yip is conducting a review to investigate the root cause of the incident, as announced by Second Minister for Finance Indranee Rajah in Parliament. This panel will also assess the Government’s policy regarding the responsible use of NRIC numbers. The panel is expected to conclude in February, and its findings will be made public.