Government urges private sector to stop using full, partial NRIC numbers for authentication
Authentication is the process of proving that a person is who he claims to be before granting him access to services or information intended solely for him, the PDPC and CSA said in a joint advisory posted on their websites.
'NRIC numbers should not be used to prove that a person is who he claims to be for the purposes of trying to gain access to services or information meant only for that person,' the Ministry of Digital Development and Information (MDDI) said in a statement on the same day.
Companies that do use NRIC numbers for such purposes should 'transition away from (the) practice as soon as possible', the ministry said.
This includes not setting NRIC numbers as default passwords and not using full or partial NRIC numbers with other easily obtainable personal data – such as by using passwords that combine parts of a person's NRIC number with his date of birth.
The ministry noted that some private sector organisations currently require individuals to use their NRICs as passwords to access information intended solely for them, such as insurance documents.
This practice is unsafe as a person's NRIC number may be known to others such that using it for authentication would permit anyone who knows the person's NRIC number to impersonate him and easily access his personal data or records, the MDDI said.
'If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, a security token or fingerprint identification,' the MDDI statement said.
This comes on the back of government efforts, since January, to ensure the proper use of NRIC numbers in the private sector to better protect citizens, MDDI said.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
CNA
01-08-2025
- CNA
147,000 customer records affected following data breach at Cycle & Carriage
SINGAPORE: A breach at Cycle & Carriage's database has affected about 147,000 records containing customer information, the car distributor said on Friday (Aug 1). In response to CNA's queries, a spokesperson from Cycle & Carriage said that it was alerted on Jul 14 to "unauthorised access" into its customer relationship management system by a threat actor who downloaded some customer information. "About 147,000 data records are affected. Most of the downloaded records have missing or partial information," added the spokesperson. The affected data records may contain names and contact information - such as email addresses and phone numbers - with about 2 per cent of them containing National Registration Identity Card (NRIC) numbers and deposit amounts. No banking or credit card information was divulged, the spokesperson said. "Once we became aware of the incident, we have taken measures to prevent further unauthorised access to the system. "A thorough investigation was carried out and forensic experts were activated to look into the possible causes of this unauthorised access," the spokesperson added. Apologising to affected customers, Cycle & Carriage said that the company has internal processes, protocols, and training in place to support data governance and cyber hygiene, but will continue to "review and refine these as needed" in light of the incident. The firm has lodged a police report and notified the Personal Data Protection Commission (PDPC). It has also begun to inform affected customers in batches from Wednesday. In an email sent to a customer on Thursday, which CNA has seen, the firm referred to a "cybersecurity incident" and added that it was still investigating the full scope of the breach. Customers were advised to be cautious of phishing activities or suspicious requests for personal information.
CNA
01-08-2025
- CNA
Naming country linked to UNC3886 attack not in Singapore's best interest at this point in time: Shanmugam
SINGAPORE: While naming a specific country linked to cyber threat group UNC3886 is not in Singapore's interest at this point in time, the attack was still serious enough for the government to let the public know about the group, said Coordinating Minister for National Security and Minister for Home Affairs K Shanmugam on Friday (Aug 1). Speaking to reporters on the side of the Cyber Security Agency of Singapore's (CSA) Exercise Cyber Star, the national cybersecurity crisis management exercise, Mr Shanmugam said that when it comes to naming any country responsible for a cyber attack, 'we always think about it very carefully'. Responding to a question from CNA on reports tying the group to China, Mr Shanmugam said: 'Media coverage (and) industry experts all attribute UNC3886 to some country … Government does not comment on this. 'We release information that we assess is in the public interest. Naming a specific country is not in our interest at this point in time.' UNC3886 has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale. Mr Shanmugam had announced on Jul 18 that Singapore is actively dealing with a "highly sophisticated threat actor" that is attacking critical infrastructure, identifying the entity as UNC3886 without disclosing if it was a state-linked actor. He said the threat actor poses a serious danger to Singapore and could undermine the country's national security, and added that it was not in Singapore's security interests to disclose further details of the attack then. When asked the following day about UNC3886's alleged links to China and possible retaliation for naming them, Mr Shanmugam, who is also Home Affairs Minister, said this was "speculative". "Who they are linked to and how they operate is not something I want to go into," he said. Responding to media reports in a Jul 19 Facebook post, the Chinese embassy in Singapore expressed its "strong dissatisfaction" at the claims linking the country to UNC3886, stating that they were "groundless smears and accusations against China". 'In fact, China is a major victim of cyberattacks," it wrote. "The embassy would like to reiterate that China is firmly against and cracks down (on) all forms of cyberattacks in accordance with law. China does not encourage, support or condone hacking activities." On Friday, Mr Shanmugam also gave his reasons for disclosing the identity of threat actors like UNC3886. 'We look at the facts of each case (and) the degree of confidence we have before we can name. And when we decide to name the threat actor, we look at whether it is in Singapore's best interest,' said Mr Shanmugam, who is also the home affairs minister. In this case, the threat, attack and compromise to Singapore's infrastructure was 'serious enough' and the government was confident enough to name UNC3886 as the perpetrators, he said. 'Here, we said this is serious. They have gotten in. They are compromising a very serious critical infrastructure. Singaporeans ought to know about it, and awareness has got to increase. And because of the seriousness, it is in the public interest for us to disclose,' said Mr Shanmugam. ATTACKS HAVE HAPPENED ELSEWHERE Mr Shanmugam was accompanied at Friday's exercise by Minister for Digital Development and Information Josephine Teo, who is also Minister-in-Charge of Cybersecurity. Held at the Singapore Institute of Technology in Punggol, the exercise saw teams from critical sector organisations tackle cybersecurity challenges based on key threats, such as advanced persistent threats (APTs) and attacks on critical systems. APTs are a type of prolonged cyberattack typically carried out by well-resourced threat actors. 'There're close to about 500 participants today. They come together, put a face to a name, exercise real life scenarios, things which have happened elsewhere,' said Mr Shanmugam, emphasising that such incidents are 'not theoretical'. During the event, Mr Shanmugam was shown a demonstration of an attack on a port, where crane operations were paralysed and energy supply was cut off. He was also briefed on the response plan for when the public transport system gets attacked, with millions of people commuting and the fare systems are targeted. 'You have to exercise, you have to bring people together. Government has got a high level of knowledge.' The private sector, meanwhile, is focused on getting things done for their business, he added. 'Now, they need their knowledge and abilities to also increase. So we've got to work together,' said Mr Shanmugam. Mrs Teo had announced earlier this week that owners of Singapore's critical information infrastructure will, from later this year, be required to report to CSA any incidents suspected to be caused by APTs. Mr David Koh, chief executive of CSA, said: 'With cyberattacks increasing in frequency and sophistication, it is important for the government to work closely with Singapore's critical sectors and companies to enhance crisis response capabilities and ensure the continual delivery of essential services.
CNA
29-07-2025
- CNA
Critical information infrastructure owners must report all APT incidents under new rules: Josephine Teo
SINGAPORE: Owners of Singapore's critical information infrastructure (CII) will soon be required to report any incidents suspected to be caused by advanced persistent threats (APTs). The reports must be made to the Cyber Security Agency of Singapore (CSA), said Minister for Digital Development and Information Josephine Teo at the Operational Technology Cybersecurity Expert Panel (OTCEP) Forum on Tuesday (Jul 29). The new regulations, to take effect later this year, come as Singapore raises its cyber threat alert level in the face of an ongoing attack, according to Mrs Teo. Earlier this month, Coordinating Minister for National Security K Shanmugam said Singapore is actively dealing with a "highly sophisticated threat actor" attacking its critical infrastructure. Known as UNC3886, the entity has been described by Google-owned cybersecurity firm Mandiant as a "China-nexus espionage group" that has targeted prominent strategic organisations on a global scale. 'On several occasions in the past, CSA has raised the National Cyber Threat Alert Level (NCTAL). This is to urge everyone to be more alert to cyber threats across Singapore, and especially across all CIIs,' said Mrs Teo. 'Given the UNC3886 attack and heightened APT activity, it should not come as a surprise to anyone that we are currently in a heightened state of alert.' She shared that the CSA has also convened the CEOs of all CII owners for 'a classified briefing on the threat landscape, focusing particularly on the threat from APTs'. This is all part of efforts to share guidance on the threats and help the CIIs sharpen their readiness response, said Mrs Teo. She urged the sector not to view the new measures, which flow from last year's Cybersecurity Act amendments to strengthen incident reporting requirements, as a burden. Under the new regulations, CII owners must report the APT incidents verbally within two hours upon suspicion or awareness, followed by a written report within 72 hours, according to CSA. 'If organisations suspect that they have been targeted, they cannot – and should not – confront the attackers on their own,' said Mrs Teo. 'Reporting such detections early allows CSA to help you. It will also help us coordinate an appropriate national response.' REAL-WORLD CONSEQUENCES In her speech, Mrs Teo said it is easy to underestimate the importance of basic cyber hygiene, something that has caused many preventable attacks. She said that cybersecurity is often likened to a team sport. However, while sports have rules, referees, and the principle of fair play, the cyber realm is more adversarial. 'Those of us in this room today are indeed, on the same team. We are playing defence. But our opponents do not play by the same rules,' she told attendees at Tuesday's forum. 'And a loss for us could have severe consequences for the people we have been entrusted to take care of.' Mrs Teo cited cases in Ukraine, Russia and Norway, where critical functions like heating and sewage management were disrupted. In fact, there are more of such attacks taking place worldwide, with the actors driven by various reasons, she said. One is financial gain, while another is for long-term persistence, like in the case of APTs, said Mrs Teo. APTs deploy advanced tools, evade detection and maintain persistent access in high-value networks, she said. 'APTs are often state-linked, well-resourced and determined. They may conduct espionage for their state sponsor. Their other task may be to develop the capacity to disrupt the services and assets in other states,' said Mrs Teo. She noted that the ongoing UNC3886 attack on Singapore's critical infrastructure is part of a broader trend, with APT activity detected in Singapore rising over four-fold from 2021 to 2024. 'Until recently, we had not said much about APT activity. Nor had we named any of the groups involved,' said Mrs Teo. However, the Singapore authorities are now doing so for the first time to let the public know that such threats are not imagined, but real, she said. 'We also need everyone to understand that the potential consequences to our economy and society are very serious,' said Mrs Teo. APTs target critical infrastructure, which provides essential services for the country, and any attack will have serious real-world consequences. 'These 'live' attacks remind us that cybersecurity is not a nice-to-have. It is a must, not just for the IT personnel, but for the CEO and the board,' said Mrs Teo. 'In particular, the owners of CIIs must raise your vigilance, because you provide essential services that Singapore and Singaporeans depend on.' The CSA will sign a memorandum of collaboration in OT cybersecurity with ST Engineering, to secure access to the latest tools and expertise, and let engineering teams on both sides jointly study and develop solutions in the sector, said Mrs Teo. In his opening remarks at Tuesday's event, CSA chief executive David Koh said the agency will continue to work closely with local organisations and international partners to share information and take action against any threats.
