Businesses told to stop using NRIC numbers for authentication or default passwords

Private sector organisations in Singapore must immediately cease the use of National Registration Identity Card (NRIC) numbers as authentication credentials or default passwords, the Ministry of Digital Development and Information (MDDI) said on 26 June 2025.

The advisory, issued jointly with the Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA), called the practice unsafe and urged companies to adopt stronger verification systems.

Risks of impersonation and data breaches

Authorities noted that some organisations still use NRIC numbers to grant access to sensitive information such as insurance documents. Because NRIC numbers are widely known or easily obtained, they are vulnerable to misuse by bad actors.

“NRIC numbers should not be used to prove that a person is who he claims to be… for the purposes of trying to gain access to services or information meant only for that person,” stated the MDDI.

The ministry also warned against using NRIC numbers as default passwords for email-protected documents, particularly when paired with other easily available details such as dates of birth.

Alternative authentication methods recommended

The MDDI advised companies to replace NRIC-based authentication with more secure measures. Suggested options include strong passwords, two-factor authentication with tokens, or biometric verification such as fingerprint or facial recognition.

Sector-specific guidance will be released for industries such as finance, healthcare, and telecommunications in the coming months.

Background: strengthening NRIC use policies

The move builds on a broader initiative launched in January 2025 to tighten the use of NRIC numbers in the private sector. In a ministerial statement earlier this year, Minister for Digital Development and Information Josephine Teo urged businesses to eliminate NRIC numbers as authentication factors.

Partial collection of NRIC details may continue under limited circumstances, subject to public consultation.

Trigger: Bizfile data exposure

The advisory comes months after a high-profile incident involving the Accounting and Corporate Regulatory Authority (Acra).

When Acra launched its new Bizfile portal on 9 December 2024, users could access individuals’ full names and NRIC numbers through its search function. The flaw went unnoticed for days, until a surge of traffic drew attention on 12 December.

Authorities disabled the search function on 13 December. By then, more than 500,000 searches had been logged, compared with a typical daily volume of 2,000 to 3,000. Around 28,000 IP addresses—mostly from Singapore—were involved.

During parliamentary sittings in January and March 2025, ministers acknowledged accountability. Second Minister for Finance Indranee Rajah and Minister Josephine Teo apologised publicly, while then-Senior Minister Teo Chee Hean confirmed consequences for officers and senior management, including retraining and performance-related penalties.

Chia-Tern Huey Min, chief executive of Acra, was responsible for overseeing the portal’s design and implementation. The Permanent Secretaries of the Smart Nation and Digital Government Office (now under MDDI) were tasked with executing related digital policies.

Teo clarified that while the review was not a formal disciplinary process, respective public agencies would handle disciplinary action if warranted.

Push for stronger safeguards

The government has stressed that lessons from the Bizfile incident underscore the urgent need for organisations to improve data protection practices.

By moving away from NRIC-based verification, the MDDI aims to reduce the risks of impersonation, identity theft, and data breaches, while reinforcing public trust in digital services.