Ministerial statement: Indranee Rajah on NRIC numbers in ACRA’s Bizfile service

More than 500,000 queries were made on People Search of the Bizfile portal during the five-day period from Dec 9 to 13 last year when full NRIC numbers were made available. This was much higher than the usual daily traffic of 2,000 to 3,000 queries. The bulk of these queries was made on Dec 13, the day after news that full NRIC numbers were made available. These searches came from an estimated 28,000 IP addresses, most of which were from Singapore. The authorities are unable to identify the exact number of NRIC numbers that was disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function. ACRA and GovTech have since conducted a security review and found that the security feature in the People Search function designed to distinguish between human users and computer bots was not working as intended. This has since been fixed. No known threat actors have been uncovered, based on the IP addresses that were used to make the People Search queries between Dec 9 and 13. Following this incident, ACRA is reviewing how the People Search function can be improved. Second Minister for Finance Indranee Rajah gave this update of investigations so far in a ministerial statement in Parliament on Wednesday (Jan 8). Updating the House on the review of the incident, she said it is important to understand that public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and ease of access to NRIC numbers. She said a review panel is studying the root cause of the incident and will recommend areas for improvement. The panel expects to complete its review in February. The Government will share the review findings.