MDDI's response to PQs on Incident of Unauthorised Address Changes via ICA system

Parliament Sitting on 4 February 2025

QUESTIONS FOR ORAL ANSWERS

*13. Mr Mark Lee asked the Minister for Digital Development and Information in light of the incident involving unauthorised changes to residential addresses via ICA’s online system (a) what lessons has the Government drawn about vulnerabilities in digital public services; (b) how will this incident impact the Smart Nation strategy; and (c) whether the Government will commission an independent audit or review of public sector digital platforms to identify and address cybersecurity gaps.

*14. Mr Yip Hon Weng asked the Minister for Digital Development and Information with regard to the recent incidents of fraudulent address changes through unauthorised Singpass access (a) what are the lessons learnt; (b) what measures are being implemented to prevent future unauthorised access of Singpass for address change requests; (c) whether facial verification will be implemented; (d) if so, how will it incorporate liveness checks to prevent the use of still photos or other static images; and (e) how will these checks be designed to counter increasingly sophisticated deepfake technology.

*15. Dr Tan Wu Meng asked the Minister for Digital Development and Information (a) whether there will be a review of all e-Government services’ vulnerabilities following incidents of unauthorised changes to residential addresses via ICA's online system; and (b) whether the security evaluations of all e-Government services will include analysis of potential exploitation of workflows and processes, in addition to exploits that rely purely on cyber elements.

*16. Mr Desmond Choo asked the Minister for Digital Development and Information regarding the recent incidents of unauthorised changes to NRIC residential addresses (a) how extensive are the breaches; and (b) whether the Ministry will be conducting checks on other Government systems to assess similar vulnerabilities.

*17. Ms Hany Soh asked the Minister for Digital Development and Information in respect of ICA’s temporary suspension of its electronic service for change of residential addresses (a) how does GovTech assist and support ICA in the implementation of additional security measures; (b) whether any other private and public agencies are also provided assistance; and (c) if so, how.

Answer:

My response will also cover the matters raised in the oral question by Dr Wan Rizal which is scheduled for a subsequent Sitting. If the question has been addressed, it may not be necessary for the Member to proceed with the Questions for future Sittings.

Members have raised a range of questions. The Ministry of Home Affairs has already addressed the queries specific to the electronic Change of Address (eCOA) service, and how GovTech is supporting on that front. My reply will address more general questions on other Government digital services and Singpass, beyond what is relevant to the eCOA service.

Since the unauthorised change of addresses via the Immigration and Checkpoints Authority’s online system were publicly reported, Government agencies have been conducting checks on the possible impact to their e-services. So far, there have been no transactional services identified that can be completed in the same manner as unauthorised eCOA transactions using only the National Registration Identity Card (NRIC) number and date of issue of the NRIC.

More broadly, in managing their information technology systems, Government agencies are required to conduct regular risk assessments, including risks arising from dependencies on systems managed by other agencies. The systems must also be regularly assessed for vulnerabilities and subject to penetration testing. Once identified, vulnerabilities must be promptly remediated.

As for Singpass, GovTech is constantly improving and testing the security of its design. This includes penetration testing, enhancing fraud analytics, and requiring additional face verification if Singpass is used for higher risk transactions.