Tan Wu Meng questions ACRA’s outsourced security review; SM Teo says vendor’s performance will impact tenders

SINGAPORE: During the Parliament sitting on 6 March, Jurong GRC MP Dr Tan Wu Meng raised concerns over the security of ACRA’s BizFile+ system, questioning whether agencies with a cybersecurity focus should have been involved earlier in the portal’s development.

He highlighted the risks of databases with search functions, noting that cybercriminals often attempt to scrape large amounts of data.

Given the sensitivity of NRIC numbers—which are permanent and cannot be changed—he asked how government agencies could strengthen their instincts to preemptively address such threats.

Dr Tan also called for strengthening “red team” capabilities within the government to proactively test the security of online portals that contain personal data.

He pointed out that ACRA had outsourced its portal security to a vendor, who then further outsourced penetration testing to a security reviewer.

However, GovTech later discovered gaps in the system’s security, raising questions about the effectiveness of this outsourcing model.

SM Teo Highlights Government’s Reliance on Reputable IT Vendors and Rigorous Cybersecurity Measures

In response, Senior Minister Teo Chee Hean acknowledged the importance of cybersecurity but noted that decisions were made based on available information at the time.

He explained that while the Government’s internal code, known as IM8, guidelines set strict security requirements, agencies sometimes find them overly prescriptive.

Nonetheless, he emphasised that such measures are necessary to ensure robust security.

SM Teo defended the government’s approach of engaging reputable IT and security vendors rather than building all systems in-house, stating that even leading cybersecurity firms have experienced breaches.

“Even IT security companies or companies who sell IT security as their main product, have made mistakes and be penetrated in an embarrassing way before,” Teo said.

He assured that the government has rigorous red teaming processes and a bug bounty programme, where both ongoing and periodic “hunting seasons” invite ethical hackers to test for vulnerabilities.

Addressing concerns about vendor accountability, SM Teo stated that if an IT vendor fails to meet its security responsibilities, it would be considered in future tender awards.

He emphasised that while ACRA had outsourced parts of the security review, it remains ultimately responsible for the system’s security and is keeping its options open regarding the IT vendor’s future involvement.

Earlier, Senior Minister Teo Chee Hean delivered a ministerial statement in the House to address the incident following a review panel’s investigation, which identified lapses in processes and communication between the Accounting and Corporate Regulatory Authority (ACRA) and the Ministry of Digital Development and Information (MDDI).

On 3 March, the government released the review panel’s report, which concluded that the unmasking of NRIC numbers on ACRA’s Bizfile portal was due to miscommunication and coordination lapses, with no deliberate wrongdoing.

However, the report highlighted several shortcomings on the part of ACRA and MDDI.

In response, the government has pledged to implement corrective measures to prevent similar incidents in the future.

Notice: We now publish our news at The Online Citizen and Heidoh.

Follow us on WhatsApp

Follow us on Telegram