Latest news with #ThereseSoh
Singapore Law Watch
11 hours ago
- Business
- Singapore Law Watch
‘Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication
'Long overdue': Experts welcome advisory against private-sector use of NRIC numbers for authentication Source: Business Times Article Date: 27 Jun 2025 Author: Sharanya Pillai & Therese Soh Government to work with regulated sectors such as finance, healthcare and telecommunications to develop sector-specific guidance. Urging the private sector to stop using NRIC numbers for authentication is a timely and pragmatic move to strengthen data security, industry players told The Business Times. On Thursday (Jun 26), the government released an advisory telling private-sector organisations to move away from using full or partial National Registration Identity Card numbers to authenticate individuals 'as soon as possible'. The government is also working with regulated sectors – such as finance, healthcare and telecommunications – to develop sector-specific guidance in the coming months. 'This is a sensible move and long overdue. Using NRIC numbers for authentication has always been a weak security practice,' said Bhargav Sosale, data protection officer at medtech company Remidio. He noted that NRIC numbers are more like usernames than passwords, being 'static' identifiers that are used widely across institutions from banks to healthcare providers. '(That) ubiquity is precisely what makes them unsuitable for authorisation,' he said. Even the use of partial NRIC numbers – such as the last four digits – could be dangerous, noted Pang Tzer Yeu, chief information security officer at Red Alpha Cybersecurity. The risks are also high when NRIC numbers are paired with other easily obtainable information such as one's date of birth, noted Gerry Chng, head of cyber at KPMG in Singapore. Steven Scheurmann of cybersecurity company Palo Alto Networks sees Singapore's move as a 'significant step' towards bolstering digital safety, especially as identity theft and impersonation tactics grow more complex. He called on organisations to adopt stronger authentication methods such as complex, unique passwords or multi-factor authentication (MFA). Other options include biometric verification and security tokens. 'These methods offer significantly higher resistance to impersonation and fraud, and ultimately help build trust in digital services,' said Scheurmann, who is Palo Alto's regional vice-president for Asean. Verification through the Singpass app is another tool that some organisations are already tapping, noted Red Alpha's Pang. 'Many companies have already moved away from using NRIC, but there are a few sectors where I still see it being prevalent,' he said, citing the insurance sector as an example. For players that still rely on NRIC numbers for authentication, the government advisory 'should be a wake-up call', said Sosale. Industry reactions Industry players that BT reached out to said that they would work with the authorities on the matter. Association of Banks in Singapore director Ong-Ang Ai Boon said that the industry is exploring 'alternative authentication methods in line with today's advisory'. She noted that NRIC numbers alone cannot be used for financial transactions such as payments and funds transfers. However, 'there are limited non-transactional circumstances where NRIC numbers are used for authentication, such as to open encrypted documents sent by e-mail', she said. A spokesperson for AIA Singapore said that the insurer has moved away from relying solely on NRIC numbers for authentication. 'AIA Singapore only collects full or partial NRIC numbers when it is necessary to establish or verify an individual's identity to a high degree of accuracy,' said the spokesperson, noting that this is in line with Personal Data Protection Act (PDPA) guidelines. The insurer also uses MFA for more secure access to online services. Verification processes are also in place at human-assisted customer service touch points. 'We take data security seriously and will continue to ensure all our data collection processes adhere to PDPA guidelines,' the spokesperson added. Separately, Singtel told BT that it adheres to the present guidelines on the use of NRIC for authentication. 'We will wait and review any new guidelines from the (Infocomm Media Development Authority) before assessing any potential impact to our operations,' said a spokesperson. Fellow telco M1 told BT that it uses NRIC to only identify customers, and not to authenticate them. Hospital operator Raffles Medical Group noted that it relies on NRIC numbers as a unique identifier for patients during admission, registration and billing. The company 'will continue to take guidance from the Ministry of Health regarding the use of NRIC numbers for the verification of our patients' identity', a spokesperson said. Data privacy hit the spotlight last December, after a furore over the disclosure of full NRIC numbers on the Accounting and Corporate Regulatory Authority's Bizfile portal. The government had plans to change the practice of masking NRIC numbers, but the Bizfile portal had run ahead of that intent, the Ministry of Digital Development and Information said at the time. Source: The Business Times © SPH Media Limited. Permission required for reproduction. Print
Singapore Law Watch
26-05-2025
- Business
- Singapore Law Watch
Competition watchdog fines two contractors S$4.6 million for rigging People's Association tenders
Competition watchdog fines two contractors S$4.6 million for rigging People's Association tenders Source: Business Times Article Date: 24 May 2025 Author: Therese Soh Trust-Build Engineering & Construction and Hunan Fengtian Construction colluded in tenders worth S$56m. Two contractors found to have engaged in bid-rigging for public-sector tenders were dealt fines totalling S$4.6 million from the Competition and Consumer Commission of Singapore (CCCS). Trust-Build Engineering & Construction (TB) was fined around S$4.3 million, and Hunan Fengtian Construction (HNFT) was fined S$349,350, CCCS said in a Friday (May 23) statement. Investigations showed that the two had colluded to rig tenders relating to construction projects at three community clubs in Bukit Batok, Cheng San and Eunos. The total value of the tenders, which the People's Association (PA) called for in 2022, was around S$56 million. While neither party was awarded any of the tenders, the competition watchdog found that their conduct 'eliminated the competitive pressure between the parties to submit their best offers to PA'. CCCS said: 'Even though none of the PA tenders were awarded to either of the parties... such bid-rigging conduct has the potential to give the false impression that the bids received from the parties were genuine and competitive.' The bid-rigging involved HNFT preparing TB's tender submissions and proposing TB's bid prices for each PA tender. HNFT purported to compete against TB for the tenders, despite being aware of TB's likely bid prices and the contents of TB's tender submissions. 'Consequently, TB and HNFT did not independently determine their respective bids for the PA tenders. This undermined a fundamental principle of competition law, which is that businesses must act independently when determining their conduct on the market,' CCCS added. The investigations began in July 2023, with raids carried out at both parties' businesses in November of that year. The CCCS procured evidence from sources, including both contractors' personnel, that revealed three instances of bid-rigging. As part of the legal process under the Competition Act 2004, CCCS in October 2024 issued the parties a written notice setting out the basis for its decision. The competition watchdog said each party submitted written representations, which it considered before deciding to issue the infringement decision. As the PA had flagged the potential bid-rigging to CCCS before the tenders were awarded, both TB and HNFT were excluded from the tender evaluations. In imposing financial penalties, the CCCS considered factors including each party's relevant turnover, the nature and seriousness of the infringement, as well as aggravating and mitigating factors. CCCS chief executive Alvin Koh said: 'CCCS emphasises that bid-rigging undermines fair competition, distorts the regular operation of market forces, and prevents customers from obtaining genuine and competitive offers. In the context of public procurement where public funds are used, taxpayers are the ones who ultimately pay the price of such infringing conduct.' Koh added that the CCCS offers a leniency programme that allows parties involved in bid-rigging to come forward with information about the anti-competitive conduct in question, and receive a full waiver or substantial reduction in financial penalties. Individuals with information on cartel activity in Singapore who provide such information to the CCCS may receive monetary rewards of up to S$120,000 under its whistle-blowing scheme, he said. Source: The Business Times © SPH Media Limited. Permission required for reproduction. Print
