Following the recent unmasking of Singapore National Registration Identity Card (“NRIC”) numbers by the Accounting and Corporate Regulatory Authority (“ACRA”), both the ACRA and Cyber Security Agency (“CSA”) have issued guidance on moving away from using NRIC numbers for authentication and password purposes in the private sector.
With data protection undoubtedly a top concern and priority for individuals and organisations today, our commentary reviews this significant shift in best practices for authentication in Singapore, and the need for education on the appropriate use of NRIC numbers.
Unmasking the Singapore NRIC number
In December 2024, there was a public furore over the inadvertent unmasking of Singapore NRIC numbers by ACRA. A member of the public had, by chance, discovered that the refreshed online portal ACRA had rolled out featured a new search function (which was later disabled) that allowed the full NRIC numbers of individuals registered on its database to be accessed free of charge (i.e. Bizfile People Search). This led to the government issuing a public apology later in December and instituting a review panel to investigate the incident.
Thereafter, in the same month, the Ministry of Digital Development and Information (“MDDI”) issued a statement outlining the appropriate use and misuse of NRIC numbers, which invited public debate. The MDDI made the following key points in its statement:
- As there is little value in masking the NRIC number, the government had been preparing to change the existing practice of masking the NRIC number and move towards unmasking the same eventually. The MDDI explained that masked NRIC numbers actually give individuals a false sense of security. This was because, using some basic algorithms, it was possible to uncover an individual’s full NRIC number from the masked number, especially if the year of birth of the individual was also known.
- In 2025, the MDDI and Personal Data Protection Commission (“PDPC”) plan to start educating the public on how the NRIC number should be used freely as a personal identifier in the same way individuals use their names, and the correct steps that ought to be taken for security, which would involve the proper use of authentication and passwords.
Review panel findings
In March 2025, the government shared the panel’s findings of internal communication errors between ACRA and the MDDI. ACRA’s misinterpretation of the MDDI’s internal directive on NRIC numbers had led ACRA to launch Bizfile People Search with full NRIC numbers alongside corresponding names in the search results, instead of partial NRIC numbers, which had been what was intended. ACRA, together with the Ministry of Finance, and separately, the MDDI, apologised for the incident.
New guidelines on the use of NRIC numbers
On 26 June 2025, ACRA and the CSA issued a joint advisory[1] to guide private organisations on ceasing the use of NRIC numbers for authentication of an individual. On the back of this, the MDDI similarly issued a press release[2] on stopping the use of NRIC numbers as passwords in the private sector. The public can expect more sector-specific guidance in the coming months as the government is working with regulated sectors such as finance, healthcare, and telecommunications to develop them.
Isn’t the NRIC number private information?
Public understanding and consensus has always been that an individual’s NRIC number is private and confidential and, unless required by law, the disclosure of the same is subject to that individual’s consent. This is consistent with the fact that an individual’s full NRIC number is usually masked, whether at the point of collection or disclosure. For instance, the collection of individuals’ NRIC numbers by organisations (in both the public or private sector) for various purposes tends to only require the provision of the last four characters of the NRIC number (i.e. last three numerical digits and checksum of the NRIC number e.g. 567A where the full NRIC number is S1234567A). On the occasion where an announcement of contest winners set outs their names and NRIC numbers, full NRIC numbers would not be spelled out – only the last four characters would be published. Partial disclosure was and is the norm, and a widely-accepted general practice.
The classified nature of NRIC numbers is especially entrenched in the consciousness of the Singaporean public, as it is used by individuals to conduct their private matters. In Singapore, banks and insurers customarily require customers to identify themselves by entering their NRIC number over calls to their hotlines, or online for use of digital services, as part of their customer verification protocol. While fund transfers may require multi-factor authentication (“MFA”), of which entering the NRIC number may only comprise one component, some banks have opted to accept NRIC numbers to expedite customer verification in urgent cases of fraud or scam prevention. Additionally, banks and insurers often prescribe passwords that are a combination of the customer’s full or partial NRIC number and date of birth, to unlock password protected documents such as bank statements, insurance policies or related documents. Needless to say, these documents are secured in this way because they contain sensitive personal data (e.g. financial and health information).
Would the disclosure of an NRIC number constitute a data breach?
We would highlight that even partial NRIC numbers are considered personal data under the Personal Data Protection Act 2012 (“PDPA”), to the extent that an individual can be identified from the partial NRIC number. This is the view the PDPC has taken in its Advisory Guidelines on the PDPA for NRIC and other National Identification Numbers (“Advisory Guidelines”), which were issued on 31 August 2018 (but which is due to be updated). The PDPC had in 2020 also published a series of Frequently Asked Questions for individual and organisations in relation to the treatment of NRIC numbers and physical NRICs, and this appears to have been updated in the light of recent developments.
While the public sector is not subject to the PDPA (although under the Public Sector (Governance) Act 2018, public agencies are required to comply with IM8, which is reportedly a set of instructions aligned with the PDPA but adapted to the public service context), the public outcry that followed the ACRA incident was not surprising. Had the incursion been traced to a private sector entity, it would have been considered a data breach – an unauthorised disclosure of personal data. Accordingly, it would have required mandatory notification to the PDPC, and could also trigger enforcement action by the PDPC.
A notifiable data breach is one that could cause significant harm or is of significant scale. Significant harm occurs where there is physical, psychological, emotional, economic, financial harm, harm to reputation and other harms that a reasonable person would identify as a possible outcome of a data breach. While there are prescribed categories of personal data that if disclosed would cause significant harm (e.g. full name/ alias/ identification number in combination with items such as salary information/ credit card number/ bank account number/ health information, or account name/ number/ username, or account access information like biometric data/ security code/ password/ answer to security question etc), unauthorised access to an NRIC number is likely to cause significant financial harm to the holder of that NRIC number, because of the possibility for that number to be misused for identity theft or fraudulent purposes. For the avoidance of doubt, even though an individual’s full name would constitute personal data, a data breach involving the disclosure of an individual’s full name alone (without any other accompanying personal data) would not give rise to significant harm.
Authentication versus identification
Both the joint advisory by the PDPC and CSA, and the MDDI’s statement in June 2025 distinguish between the authentication and identification of an individual.
Authentication is the more critical process of proving that an individual is who he/ she claims to be; and successful authentication is a condition precedent to permitting the individual to access services or information intended only for him/ her. On the other hand, identification is the act of differentiating one individual from another, and is an end in itself. While both are forms of verification, it is clear that authentication should not be treated as a lockstep process as there are higher stakes involved.
On a related note, a Straits Times Forum letter published on 20 June 2025 titled “Stronger safeguards needed for inter-bank transfers” suggests that authentication should be more layered so as to be watertight. The letter flagged the recent case of a car salesman cheating buyers of over S$341,000 by having them transfer payment to his personal account instead of the company account. The writer was troubled by the lack of built-in checks in interbank transfers to ensure that the name of the recipient matches the name of the holder of the account to which the funds are being transferred. There is no such gap for cheques/ banker’s drafts/ cashier’s orders as bank tellers would have to extract the name of the account holder from the account number, and verify that such name tallied with the printed payee’s name. Mandatory name verification for large transfers was proposed as a safeguard to plug this gap. On 26 June 2025, the Monetary Authority of Singapore stated that it would consider the writer’s suggestion as part of its efforts to better protect customers against fraudulent or erroneous transfers.
Returning to the use of passwords as a method of authentication, the government’s position is that in order for passwords to serve as a reasonably robust defence against unauthorised account access, passwords should not contain information that can be obtained easily, such as full names or their permutations, NRIC numbers, or dates of birth.
The issue the government is trying to address is two-pronged:
- individuals have been using their NRIC numbers, whether partially or in their entirety as their passwords or part of their passwords, to log into their digital accounts;
- organisations have been using full or partial NRIC numbers to authenticate individuals, by setting passwords on their behalf as account log-in credentials, or to enable them to access privileged information (such as unlocking password protected documents), or to perform privileged transactions.
The misuse or publication of NRIC numbers is therefore a real concern, as those privy to another’s NRIC number may be able to abuse this information for impersonation and fraud.
Accordingly, an NRIC number should be treated like an individual’s name – neither of which would, whether separately or together, in full or in part, together with other easily obtainable personal data (e.g. passwords combining an individual’s partial NRIC number and date of birth, such as “567A1Jan2025”), suffice for authentication. Both are simply means of identification.
Organisations and individuals should expedite their transitions away from the practice of deploying NRIC numbers as an authentication measure and consider adopting the following options for purposes of authenticating an individual instead:
- More specific and uncommonly known information that only that individual knows (e.g. complex password);
- An item that only that individual would possess (e.g. security token, smart card);
- An attribute that only that individual would possess (e.g. fingerprint, face, iris, palm vein).
The last two options offer stronger phishing resistance than the first. In terms of passwords, a strong one with enough complexity is typically composed of a series of random words; and where passwords are used, two-factor authentication (“2FA”) or even MFA are recommended as additional layers of security. Essentially, an individual’s name and NRIC number should not be used as passwords or as any basis of authentication.
In fact, the physical NRIC, which indicates an individual’s NRIC number, could be employed as a factor of authentication, as it contains other details (e.g. photo and thumbprint) which can be verified in person, and these additional features serve as security/ safeguards that the NRIC number on its own lacks.
It is worth noting that the PDPC had previously issued a Technical Guide to the Advisory Guidelines (likewise scheduled to be updated) which provides organisations with tips for the replacement of NRIC numbers as identifiers for individuals, in their applications, websites or other public-facing computer systems.
The PDPC and CSA advise organisations to adopt a risk-based approach when choosing the appropriate authentication method. Factors to consider in designing a bespoke approach include:
- Value and sensitivity of what is being protected;
- Potential threats and vulnerabilities of the authentication method; and
- User experience and accessibility when using the authentication method.
The PDPC encourages organisations to take reference from the PDPC’s Guide to Data Protection Practices for ICT Systems (pages 15 to 16) in devising their authentication practices. For example, 2FA, MFA and complex passwords are particularly important for administrative accounts, as unauthorised access of these very accounts remains one of the most common root causes of data breaches to date. Staff training and restrictions on privileged account changes would also be prudent measures to implement as part of efforts to promote this sea change in mindset.
It is uncontroversial that one’s NRIC number is a unique/ personal identifier. But it will take time for the public education drive to dislodge the deeply embedded, age-old notion that an individual’s NRIC number is private knowledge that an individual is entitled to withhold.
Nonetheless, until the relevant PDPC advisories are formally amended, the NRIC number (as a personal identifier) continues to be subject to the PDPA, and the unauthorised disclosure of the same could engender significant harm. Organisations that handle personal data (which includes NRIC numbers) must still comply with their data protection obligations under the PDPA – beginning with obtaining valid consent from the individual, followed by adhering to purpose and retention limitations, and making reasonable security arrangements to protect the personal data, etc.
Exploitation of personal data and the NRIC number
Cybersecurity awareness amongst organisations and individuals alike is key to avoiding the exploitation of personal data. IT forensics experts have identified new threat actor tactics that could theoretically take advantage of the unmasking of the NRIC number. For example, a prominent threat actor group known by the name of “Scattered Spider” has gained notoriety of late for using social engineering techniques to effect data breaches on its victims. “Scattered Spider” has targeted IT helpdesks by deploying social manipulation techniques including adopting local accents and capitalising on publicly available information associated with mid-level IT personnel and network engineers to convince IT helpdesk staff to reset employee accounts without setting off alarm bells. NRIC numbers could certainly be exploited by the likes of “Scattered Spider” in their data breach attempts.
Key lessons
- Singapore NRIC numbers should be used for purposes of identification only and should not be used as a means of authentication to facilitate the provision of a service or the retrieval of information.
- Organisations and individuals must relook at existing practices of deploying NRIC numbers as authentication measures, including using them as passwords, and phase these out.
- Passwords should not contain NRIC numbers, as the likelihood of one’s NRIC number being compromised and misappropriated is a serious possibility.
- Multiple independent forms and stages of authentication are recommended, and organisations and individuals should stay vigilant of security risks and take active steps to install effective safeguards.
Kennedys regularly advises on data protection laws and cyber incidents in Singapore and worldwide. If you require any assistance in this regard, please contact our authors.
[1] https://www.pdpc.gov.sg/help-and-resources/2025/06/joint-advisory-against-using-nric-numbers-for-authentication-by-the-personal-data-protection-commission-pdpc-and-cyber-security-agency-of-singapore-csa
[2] https://www.mddi.gov.sg/newsroom/stopping-the-use-of-nric-numbers-as-passwords-in-the-private-sector/