Singapore tells firms to stop using NRIC numbers as passwords due to security risks

Private sector organisations in Singapore should immediately stop using National Registration Identity Card (NRIC) numbers to verify identities or as default passwords, said the Ministry of Digital Development and Information (MDDI) on 26 June 2025. The advisory, jointly issued by the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA), urges businesses to move away from this risky practice. The government flagged concerns that the current reliance on NRIC numbers for authentication poses serious risks, such as impersonation and data breaches. “NRIC numbers should not be used to prove that a person is who he claims to be… for the purposes of trying to gain access to services or information meant only for that person,” stated the MDDI.

Concerns about impersonation and data exposure

The ministry highlighted that organisations commonly use NRIC numbers to grant access to private information, including insurance documents. This practice is unsafe, it warned, because NRIC numbers can be easily known by others. Such exposure may allow bad actors to impersonate individuals, gaining unauthorised access to personal records or services. MDDI advised companies to end this practice immediately, whether using full or partial NRIC numbers. It also recommended stopping the use of NRIC numbers as default passwords in email-protected documents, especially when combined with easily available personal details like birth dates. “If it is necessary to authenticate a person, organisations should consider alternative methods,” added the ministry. These include strong passwords, security tokens, or biometric verification such as fingerprint ID. New guidance to be issued across regulated sectors To further protect citizens, the government is collaborating with regulated sectors including finance, healthcare, and telecommunications. Sector-specific guidance will be developed and released in the coming months. According to the MDDI, this effort builds on a broader initiative launched in January 2025 to enforce proper NRIC use across the private sector. In a ministerial statement in January, Minister for Digital Development and Information Josephine Teo urged businesses to cease using NRIC numbers as authentication factors or passwords. She clarified that partial NRIC collection for identification purposes could still continue, subject to public consultation.

Bizfile data leak triggered public outcry in last December

The ministry’s advisory follows a public backlash in December 2024 after a government portal mishap exposed personal data. On 9 December, the Accounting and Corporate Regulatory Authority (Acra) launched its new Bizfile portal. The platform allowed free access to individuals’ full names and NRIC numbers through its search function. Concerns were raised by 12 December, prompting authorities to shut down the search function the following night. During the January 2025 parliamentary sitting, Second Minister for Finance Indranee Rajah revealed that over 500,000 searches had been conducted between 9 and 13 December—far exceeding the normal daily volume of 2,000 to 3,000 queries. Most of the traffic occurred on 13 December, and around 28,000 IP addresses, mainly from Singapore, were involved. In a parliamentary session on 6 March 2025, then-Senior Minister Teo Chee Hean addressed the accountability surrounding the data leak. He stated that officers and senior management involved in the incident would face consequences such as counselling, retraining, and reductions in performance grades and bonuses. Teo noted that political office holders, including Josephine Teo and Indranee Rajah, had accepted responsibility and issued public apologies. The Permanent Secretaries of the Smart Nation and Digital Government Office (now under MDDI) were responsible for executing related policies. Chia-Tern Huey Min, chief executive of Acra, oversaw the portal’s design and implementation. Teo clarified that the review of the incident was not a disciplinary process, and any formal disciplinary action would be handled by the respective public agencies.