Authorities issue formal advisory for private sector to stop using NRIC numbers as passwords, authentication
SINGAPORE: Private sector organisations should stop using National Registration Identity Card (NRIC) numbers to authenticate individuals or as passowords, said the Ministry of Digital Development and Information of Singapore (MDDI), citing risks of impersonation and data breaches.
The Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) issued a formal advisory on Thursday (Jun 26), guiding companies to stop using NRIC numbers to prove a person's identity.
'While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be … for the purposes of trying to gain access to services or information meant only for that person,' said MDDI.
The ministry noted that currently, private sector organisations may require people to use their NRIC numbers as passwords to access information intended only for them, such as in insurance documents.
'It is unsafe for organisations to use NRIC numbers in this manner because a person's NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record.'
Hence, companies that are using full or partial NRIC numbers for authentication purposes should move away from this practice as soon as possible, said MDDI.
This includes not setting NRIC numbers as default passwords in password-protected files sent via email. and not using the full or partial numbers together with other easily obtainable personal data, such as date of birth.
'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,' said MDDI.
The ministry added that the government is also working with regulated sectors, including finance, healthcare and telecommunications, to develop sector-specific guidance in the coming months.
The government has been working to ensure the proper use of NRIC numbers in the private sector since January to better protect citizens, said MDDI.
In January, Minister for Digital Development and Information Josephine Teo said in a ministerial statement that private sector organisations that are using NRIC numbers as authentication factors or default passwords should stop this practice as soon as possible.
Mrs Teo said at the time that those organisations which collect partial NRIC numbers to identify people can continue to do so, and that the ministry would only consider how the guidelines on NRIC number usage in the private sector should be updated after consulting the public.
The move followed public backlash in December 2024, over the launch of a new Bizfile portal
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Business Times
an hour ago
- Business Times
Government urges private sector to stop using full, partial NRIC numbers for authentication
[SINGAPORE] The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) on Thursday (Jun 26) advised private organisations to stop using full or partial national registration identity card (NRIC) numbers for authentication. Authentication is the process of proving that a person is who he claims to be before granting him access to services or information intended solely for him, the PDPC and CSA said in a joint advisory posted on their websites. 'NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,' the Ministry of Digital Development and Information (MDDI) said in a statement on the same day. Companies that do use NRIC numbers for such purposes should 'transition away from (the) practice as soon as possible', the ministry said. This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data – such as by using passwords that combine parts of a person's NRIC number with his date of birth. The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents. This practice is unsafe as a person's NRIC number may be known to others such that using it for authentication would permit anyone who knows the person's NRIC number to impersonate him and easily access his personal data or records, the MDDI said. 'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, a security token or fingerprint identification,' the MDDI statement said. This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, MDDI said.
CNA
an hour ago
- CNA
Repsol sells stake in an Indonesian gas operation for $425 million
Spanish energy company Repsol said on Thursday it has agreed to sell a 24 per cent stake in Indonesia's Corridor Block gas operation to Jakarta-listed Medco Energi for $425 million. The deal is part of Repsol's strategy to dispose assets to raise cash to fund investments in renewable energy. According to its own calculations, the sale will have a positive impact of about $70 million on its full-year income and it will help reduce its net debt by about $350 million, Repsol said. The company expects the transaction to be closed in the third quarter of 2025.
CNA
an hour ago
- CNA
Malaysia unveils ‘drastic measure' to name, shame transport firms with many unsettled traffic offences
KUALA LUMPUR: Transport service providers with high numbers of outstanding traffic offences, including a firm with over 22,000 unsettled summonses, have been named and shamed as part of a clampdown on offenders amid a surge in fatal road accidents, according to Malaysia's transport minister. 'This is a drastic measure we are taking after several deadly road crashes and after the public asks us what we and the Road Transport Department plan to do to address the problem,' Anthony Loke was quoted as saying by local news outlet Malay Mail. Loke's announcement on Wednesday (Jun 25) comes two weeks after he announced plans to build a database of bus drivers to weed out errant ones, following a fatal bus crash in Perak which killed 15 university students earlier this month. On Wednesday, the Transport Ministry revealed a list of 28 commercial vehicle operators with a high number of outstanding traffic summonses, warning them to settle their dues promptly. The list, which is divided into two categories, comprised 11 goods vehicle operators and 17 express bus companies, reported local news agency Bernama. Speaking at a press conference, Loke added that the list of names will be released from time to time as a stern warning to keep bus and logistic operators in line. 'This is a warning for them to change their corporate culture (to) a culture of ensuring vehicle safety and for every driver to comply with safety standards,' he said, as quoted by Bernama. Loke said summonses involved offences under the Road Transport Act 1987, the Commercial Vehicles Licensing Board Act 1987 and the Land Public Transport Act 2010. The five main offences were speeding, driving without a licence, technical violations, overloading and driving without a motor vehicle licence or insurance, he added. Topping the offenders list under the goods vehicles operators category revealed on Wednesday was KDEB Waste Management, which is the project management company hired by the Selangor state government to collect waste. According to the Transport Ministry, the firm has over 22,000 outstanding traffic summonses for various offences. Meanwhile, for the list of commercial bus operators, Cepat Express Sdn Bhd had the highest number of outstanding traffic summonses at 540. Cepat Express services mostly southern and central-eastern routes, according to Malay Mail. The 28 companies listed will have 14 days from Wednesday to settle summonses at the current rate, Loke said on Wednesday. 'I don't want the public to say the RTD only acts after an accident happens. This will be our approach now, which is to take preemptive measures so these companies will implement necessary preventive steps before a tragedy happens,' Loke said, as quoted by Malay Mail. 'This is what we want to achieve with this measure, even though it's drastic, because the people want to see a change in culture. We don't want another tragedy that ends up killing so many lives.' 'DRIVERS USUALLY HIDE THEM': LOCAL FIRM WITH 22,017 SUMMONSES KDEB Waste Management, the firm identified with the most number of summonses under the logistics category, has denied responsibility for more than 22,017 active summonses for vehicles it owns. A spokesperson from KDEB said the firm owns around 1,400 lorries registered under its name but these vehicles are operated by subcontractors managing solid waste collection across Selangor. 'When these operators receive summonses, the drivers usually hide them and don't pass them to the contractors or to us. In other words, KDEB has no knowledge of it,' KDEB's managing director Ramli Tahir told local news outlet Free Malaysia Today (FMT). 'When a summons remains unpaid for three months, (then) the road transport department will issue the summons to the registered address and it ends up at our office in Shah Alam,' Ramli added. The managing director said KDEB has paid more than 12,000 summonses issued to vehicles driven by the staff of subcontractors for various offences. 'It's just the remaining 22,000 summonses that we're in the process of settling now because we received them late. The operator or the driver did not hand them over to KDEB. It is possible they were hidden or discarded,' Ramli said, as quoted by FMT. He added that KDEB would deduct the summons payment from the monthly payments made to the relevant subcontractors. The firm also reaffirmed its full commitment to strengthening internal monitoring systems, improving communication with subcontractors and ensuring consistent and principled compliance with road laws 'in the interest of the people and the nation', reported the New Straits Times. Earlier this month, 15 students from Sultan Idris Education University (UPSI) were killed when the bus transporting them lost control after colliding with a multi-purpose vehicle on the East-West Highway near Gerik town in Perak. The bus accident which dominated headlines happened barely a month after another crash involving a truck loaded with gravel which killed nine members of the Federal Reserve Unit also in Perak. These tragedies have sparked calls for deep reforms in road safety. Loke on Wednesday said naming and shaming errant transport firms will be only one of the actions to come as he pledged to reduce road accidents involving commercial enterprises. The minister also encouraged the public to take videos of lorries or buses driving dangerously or speeding and post them online to raise awareness and assist enforcement efforts, reported the New Straits Times. 'Even if a report is not lodged with RTD, making it viral is sufficient … such videos will eventually reach us and we will act based on credible information,' he was quoted as saying. Loke advised that videos of errant drivers should include visible number plates, company names, the location, and the time and date of the incident. "Once we receive that (video), the JPJ (Road Transport Department) and the Land Public Transport Agency will investigate. We will ask the company to provide the GPS of their vehicle and verify their location,' he said, as quoted by The Star. Earlier on Jun 11, Loke announced that a database of bus drivers would enable those with 'previous records' to be blacklisted, which he said would help bus operators avoid hiring errant drivers who might have been sacked from another company for poor driving.
