Between December 9 and 13, 2024, more than half a million queries were made on the Accounting and Corporate Regulatory Authority (ACRA) Bizfile portal
Between December 9 and 13, 2024, more than half a million queries were made on the Accounting and Corporate Regulatory Authority (ACRA) Bizfile portal, following the controversial public disclosure of full NRIC numbers. This surge in traffic, which far exceeded the usual daily volume of 2,000 to 3,000 searches, was confirmed by Indranee Rajah, Singapore’s Second Minister for Finance, during a parliamentary session on January 8.
The incident occurred after the NRIC numbers were unmasked on the ACRA Bizfile People Search function, which had been launched on December 9. Indranee highlighted that the peak of these searches occurred on December 13, a day after the news broke about the NRIC disclosure. As a result, the People Search function was disabled later that evening.
The queries, which originated from approximately 28,000 distinct IP addresses, were predominantly from Singapore. However, Indranee clarified that ACRA’s database does not contain records for all Singaporean citizens, but only for individuals connected to ACRA-registered entities, such as companies and non-profit organisations.
ACRA’s initial investigation found no evidence of malicious actors involved in the incident. However, a security review conducted by ACRA and GovTech revealed that a feature designed to prevent automated bot queries had malfunctioned, allowing for large-scale access to personal data. This flaw has since been rectified.
Regarding the cause of the disclosure, Indranee explained that the Ministry of Digital Development and Information (MDDI) had issued a directive in July 2024 instructing government agencies to cease using NRIC numbers for authentication purposes. However, a lapse in coordination between MDDI and ACRA led to a misunderstanding, with ACRA mistakenly interpreting the directive as a requirement to unmask NRIC numbers entirely. This misunderstanding resulted in the unintentional disclosure of full NRIC numbers in the People Search function.
Indranee acknowledged that the incident revealed gaps in communication and understanding between MDDI and ACRA. The government has since established a review panel, led by Senior Minister Teo Chee Hean, to examine the incident’s root cause, assess the measures that could have been taken to prevent it, and make recommendations for future improvements. The panel is expected to complete its review by February 2025.
Additionally, questions were raised in parliament about why ACRA provides public access to such sensitive data. Indranee explained that ACRA, as the national regulator for business registration, is authorised to collect and maintain basic information about individuals involved with business entities. This public access helps maintain corporate transparency and is crucial for preventing fraudulent activities like money laundering.
For those concerned about their NRIC numbers being accessed, Indranee advised the public to take precautions, such as ensuring that their NRIC number is not used as a password and verifying the identity of individuals who may have access to their personal information.
In response to the incident, Indranee assured the public that the government would learn from this mistake and improve its processes going forward. The government has pledged to share the findings and lessons learned once the review panel’s work is complete.
COMMENTS