MDDI’s reply to media queries on disclosure of NRIC number on BizFile system

13 DEC 2024

MDDI’s reply to media queries on disclosure of NRIC number on BizFile system

  • The NRIC number is a unique identifier assigned by the Singapore Government as a means to identify individuals, and should be used as such. As a unique identifier, the NRIC number is assumed to be known, just as our real names are known. There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others.

  • The problem arises when the NRIC number is misused. For example, this can happen when organisations rely on the NRIC number as a form of authentication to access privileged information or perform privileged transactions. But just as our names alone would not be suitable as the basis for such authentication, neither should the NRIC number be used for this purpose. Likewise, the NRIC number should not be used as passwords, just as we should not be using our names as passwords. If the NRIC number is used for authentication, it would have to be kept a secret, which would defeat its main purpose as a unique identifier.

  • There has for some time been a practice of using masked NRIC numbers (e.g. rendering S0123456A as ****456A). In fact, there is no need to mask the NRIC number, nor is there much value in doing so. Using some basic algorithms, one can make a good guess at the full NRIC number from the masked number, especially if one also knows the year of birth of the person. That is why public agencies are phasing out the use of masked NRIC numbers to avoid giving a false sense of security.

  • The Government’s intent was to change the existing practice of masking the NRIC number only after explaining the issue and preparing the ground. We acknowledge that co-ordination could have been better so that ACRA’s move would not have run ahead of the government’s intent. We apologise for this mistake and for causing anxiety to the public.

  • We recognise that some Singaporeans have long treated the NRIC number as private and confidential information, and will need time to adjust to this new way of thinking about the NRIC number. In the coming year, MDDI and PDPC will be conducting a public education effort about the purpose of the NRIC number, and how it should be used freely as a personal identifier in the same way we use our names, as well as the correct steps we ought to take to protect ourselves, which involve proper use of authentication and passwords.


ACRA's Reply to Media Queries on Disclosure of NRIC Numbers on Bizfile System

PDPC’s reply to media queries on the use of NRIC numbers