Review panel finds no deliberate wrongdoing in ACRA’s Bizfile NRIC disclosure incident

A government review panel has determined that the unmasking of full NRIC numbers on the Accounting and Corporate Regulatory Authority's (ACRA) Bizfile portal was the result of miscommunication and coordination lapses, rather than deliberate wrongdoing.

However, it identified multiple shortcomings in how ACRA and the Ministry of Digital Development and Information (MDDI) handled the matter.

The panel, led by head of civil service Leo Yip, was set up to review the government's policy on NRIC number usage, determine the causes of the incident, and recommend ways to prevent a recurrence.

Its report was submitted to Senior Minister Teo Chee Hean on 25 February 2025 and approved for public release by Prime Minister Lawrence Wong on 27 February.

How the lapse occurred

The issue arose due to a misunderstanding of an internal policy directive issued by MDDI in July 2024. The directive aimed to phase out the use of masked NRIC numbers in government systems but was meant to apply only to internal processes.

However, ACRA mistakenly applied it to its public-facing Bizfile portal.

Email exchanges between ACRA and MDDI failed to clarify this distinction.

ACRA interpreted the directive as requiring full NRIC numbers to be displayed publicly, while MDDI, using the term “unmasking” as shorthand for discontinuing the use of masked numbers, did not realise that ACRA had misunderstood its intent.

As a result, when ACRA launched its new Bizfile portal on 9 December 2024, the People Search function displayed full NRIC numbers.

This sparked a public outcry, especially after former journalist Bertha Henson highlighted the issue on 12 December. The search function was disabled the next evening.

Findings from the review

The panel found that several shortcomings contributed to the incident. MDDI’s policy directive was not clear enough, leading to misinterpretations.

Although the ministry later issued briefing materials to clarify the policy, these were not attached to the original circular and were not widely shared within ACRA.

This resulted in senior ACRA officials and project leads for the new Bizfile portal acting on incomplete information.

The panel also noted that ACRA did not fully consider the security implications of making NRIC numbers publicly accessible. It failed to assess the balance between corporate transparency and protecting personal data.

Additionally, a review by GovTech found that some security features, including CAPTCHA, were not properly implemented, making it easier for automated programs to extract data.

In the days before the search function was disabled, an unusually high volume of queries was recorded.

Investigations revealed that over 500,000 searches were made on the People Search function between 9 and 13 December, far exceeding the usual daily traffic of 2,000 to 3,000 queries.

The highest number of searches occurred on 13 December, after the issue became public. These searches came from around 28,000 IP addresses, mostly from Singapore.

However, because Bizfile does not track individual queries, ACRA was unable to determine exactly how many NRIC numbers had been accessed.

Government response and corrective measures

In December last year, a week after the issue surfaced, Minister for Digital Development and Information Josephine Teo and ACRA Chief Executive Chia-Tern Huey Min addressed the matter at a press conference on 19 December 2024, expressing regret over the mistake.

Teo stated: "First, I would like to acknowledge the public's concerns, which we take very seriously. We are deeply sorry for causing them anxiety."

Following the release of the report, the Ministry of Finance (MOF) and ACRA issued a joint statement on 3 March 2025, accepting the review panel’s findings and outlining steps to prevent similar incidents.

ACRA will improve internal communication and staff training to ensure that critical information is properly disseminated. The agency will also conduct more frequent security reviews before launching new digital platforms and ensure that features like CAPTCHA are fully implemented.

To prevent misinterpretations in the future, government agencies will issue clearer policy directives and provide more structured briefings when implementing complex policies. ACRA will also strengthen its oversight of external vendors responsible for system development.

The ACRA Board’s HR and Finance Committee has reviewed the actions of the officers involved. While no wilful wrongdoing was found, performance assessments will be adjusted accordingly, with financial consequences for those responsible.

Strengthening data governance

The government has reiterated its commitment to improving data management policies and ensuring clearer communication when implementing digital policies.

While the policy shift away from masked NRIC numbers aimed to enhance data accuracy and prevent misuse, the poor execution and lack of clarity led to significant privacy concerns.

MDDI and ACRA have assured the public that future changes to NRIC policies will be handled with greater transparency, security, and public engagement to prevent similar incidents.