News Details

CATEGORY: SPEECHES

Ministerial Statement by Second Minister for Finance, Ms Indranee Rajah, on NRIC Numbers in ACRA’s Bizfile Service, at The Parliament, on 8 January 2025.

Download the full speech here (PDF, 182KB).

08 Jan 2025

Mr Speaker, Minister Josephine Teo has spoken about the Government’s position on the use of NRIC numbers. In my statement, I will cover the events leading to the disclosure of full NRIC numbers on the ACRA Bizfile People Search function and address related questions from Members.

Introduction

2. I want to start by acknowledging the public anxiety and confusion caused by this incident and once again extend our apologies for it. Many Singaporeans regard NRIC numbers as sensitive information and are understandably concerned to learn that NRIC numbers were available in full in the free People Search function of ACRA’s new Bizfile portal from 9 to 13 December 2024. We take these concerns very seriously. In the wake of the public concern about the disclosure, ACRA suspended the service, and since the resumption of service on 28 December 2024, the search results under the revised People Search function no longer show any NRIC numbers, masked or unmasked. We believe this approach addresses both the concerns that the public currently have and the needs of Bizfile users.

3. My statement will cover the following three areas:

a. First, ACRA’s mandate to provide public access to basic information on businesses and their associated individuals.

b. Second, the series of events that led to ACRA changing the People Search function to unmask NRIC numbers. Here I will also address questions relating to the scale of disclosure.

c. Third, whether a review of the incident will be conducted and if any action will be taken against those involved.

ACRA’s mandate to collect and disclose information

4. There have been questions on why ACRA needs to provide public access to basic information on individuals associated with businesses, and the types of information that are being made public. Some questions are based on an underlying assumption that NRIC numbers cannot be made public at all, which is not correct.

5. It is therefore important to first have a clear understanding of ACRA’s mandate to collect and disclose information before we address the other issues.

6. ACRA is the national regulator of business registration and financial reporting. Its mission is to foster a trusted business environment, so that businesses and individuals within and outside of Singapore can transact with Singapore business entities with confidence and know who they are dealing with. In furtherance of that mission, one of ACRA’s roles is to maintain our national business register.

7. To this end, ACRA is empowered to collect and maintain information on business entities and their associated individuals. “Associated individuals” include individuals who are owners or directors of companies, or shareholders of private companies.

a. Information on business entities: The information on business entities that ACRA collects and maintains includes the business’s name, the Unique Entity Number (UEN), incorporation date, status (e.g. whether it is live, dormant or wound up), the registered address, business activity, paid up capital and the list of shareholders.

b. Information on associated individuals: The information on associated individuals that ACRA collects and maintains includes the individual’s name, nationality, identification number (such as the NRIC number) and contact address. It also includes the past and present positions that they hold or have held in business entities that they are or have been associated with, as well as when they held these positions.

8. To maintain corporate transparency, facilitate business transactions and guard against illicit activities, ACRA is allowed by law to give public access to such information – including NRIC numbers. This is provided for under the ACRA Act and other ACRA-administered legislation.

9. Public access to such information is not unique to Singapore. Many business registries around the world similarly provide public access to such information.

10. Let me provide some examples to illustrate why public access to such information is necessary.

a. For example, when a bank onboards a new corporate client, it will need to conduct background checks on the company’s directors. This allows the bank to ascertain if the directors have any history of financial misconduct or if they have been involved in companies with financial or regulatory issues, before deciding whether to grant credit facilities such as loans. Information on the company’s directors, such as their NRIC numbers, will be useful to the bank when confirming the directors’ identities.

b. When companies and investors do business with each other or when they are considering mergers and acquisitions, they would normally need NRIC numbers to facilitate due diligence checks on the identities and shareholdings of their counterpart’s company directors.

c. NRIC numbers also help to deter illicit activities. When the identities of business owners, directors, and other key position holders of businesses are publicly known, and are publicly linked to their businesses, it deters these individuals from engaging in illegal activities such as money laundering and fraud, because their clients, regulators and stakeholders can easily trace them and hold them accountable for their actions. Public access to information on individuals associated with business entities thus maintains corporate transparency, deters illicit activities, and upholds trust in our business environment.

11. In summary, therefore, it is important to understand that the public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and the ease of access to NRIC numbers. Let me just repeat that, because it is important that people understand this. The public disclosure of NRIC numbers is not prohibited per se. The real issue is the degree and the ease of access to NRIC numbers. To appreciate the distinction, it is necessary to understand how ACRA’s Bizfile portal works.

Bizfile portal

12. Bizfile is ACRA’s one-stop e-services portal for users to register new businesses, file annual returns, update business and personal information, and access information on business entities and their associated individuals.

13. There are two key steps to access information on business entities and their associated individuals on Bizfile:

a. First, the People Search, or what I will for convenience call “Step 1”; and

b. Two, the People Profile purchase, or what I will call “Step 2”.

14. The People Search function is the first step in a user’s search for information on individuals associated with business entities. It allows users to specify and identify the individual on whom they wish to obtain information. This function is free, and I will explain how it works.

a. On the old Bizfile portal, which was in place before 9 December 2024, users could do a name search, which would return a list of individuals with the same searched name and their masked NRIC number.

b. For example, if you did a name search for “John Tan”, and there were four “John Tan”s in the database, all four names would turn up in the People Search results, along with the masked NRIC numbers of those four individuals. If you had the NRIC number of the specific John Tan you were searching for, you would be able to identify the correct John Tan from among the People Search results.

c. If you wanted more information on the relevant John Tan, you would then have to purchase the People Profile on that John Tan. This is “Step 2”, for which a fee is charged. The People Profile contains additional information such as the individual’s full name, full NRIC number, contact address, associated businesses, and past and present positions that they held or hold.

15. Therefore, even on the old Bizfile portal, a member of the public could obtain the full NRIC number of an individual associated with a business entity by purchasing that individual’s People Profile at “Step 2”.

16. There was no change to this "Step 2” in the new Bizfile portal.

17. In other words, the full NRIC number has always been publicly accessible upon the purchase of a People Profile, and this has not been an issue. The NRIC number, in the context of a Bizfile search, has never been confidential or secret. The real issue is one of degree and ease of access, and searchability.

18. So, what changed? What changed between the old Bizfile portal and the new one launched on 9 December 2024 was the People Search function, or “Step 1”.

a. As I explained earlier, if you keyed in a name or part of a name on the old Bizfile portal, previously, the search results would show the names and the masked NRIC numbers.

b. The new Bizfile portal, however, showed the names and the full NRIC numbers, until the service was suspended.

19. This change to the People Search function on the new Bizfile portal, namely, to display full NRIC numbers at Step 1, meant that if a user typed in “John Tan”, all the four “John Tan”s in the system and their full NRIC numbers would be displayed. However, this change also meant that the public had free access to the full NRIC numbers of any individual in ACRA’s database. This understandably caused public concern since many Singaporeans view their NRIC numbers as sensitive and confidential information.

20. ACRA has since revised the People Search function such that it only returns names and no longer displays any NRIC number, whether masked or unmasked.

Account of events

21. Mr Ang Wei Neng, Ms Joan Pereira, Mr Liang Eng Hwa asked about the events that led to ACRA unmasking NRIC numbers in the People Search function.

22. As mentioned at the press conference on 19 December 2024, we are thoroughly reviewing the incident to ascertain what exactly happened. The review is underway, and I do not want to prejudge the outcome, but I will share the key facts that have been pieced together so far.

23. MDDI had concerns about how NRIC numbers were being used, as Minister Josephine Teo has explained in her ministerial statement. Consequently, in July 2024, MDDI issued a circular minute directing all government agencies to: (i) stop using NRIC numbers as authenticators or passwords; and (ii) cease any planned use of masked NRIC numbers in, for example, new business processes and digital services.

24. ACRA understood the directive to mean that it had to unmask, and display in full, the NRIC numbers in the People Search function on the Bizfile portal.

25. ACRA had internal deliberations about the risks of unmasking NRIC numbers in its People Search function, including the possible impact on personal data protection. ACRA then sought MDDI’s clarification on whether it was required to unmask NRIC numbers in the People Search function on the new Bizfile portal.

26. However, due to a lapse in co-ordination between MDDI and ACRA, ACRA continued to understand, mistakenly, that the directive to cease the use of masked NRIC numbers in new digital services required ACRA to unmask, and disclose in full, the NRIC numbers.

27. Hence, ACRA disclosed full NRIC numbers in the People Search function when the new Bizfile portal was launched on 9 December 2024, as they thought MDDI required them to.

28. Let me stress this: it was not the Government’s intent for agencies to make datasets of NRIC numbers in their possession widely and easily accessible.

29. Minister Josephine Teo has since explained, both at the press conference on 19 December 2024 and in her ministerial statement earlier, that when MDDI told agencies to cease the use of masked NRIC numbers, that did not automatically mean using full NRIC numbers in every case. Instead, MDDI’s policy intent was for agencies to: one, not use NRIC numbers at all unless necessary; two, use other identifiers in lieu of NRIC numbers, where this was adequate; and three, in certain cases such as in medical settings where the use of NRIC numbers is required by law or necessary for accurate identification, use full NRIC numbers. MDDI has acknowledged that they should have made this clear.

30. With the benefit of hindsight, it is clear that there were gaps in the communication and understanding of MDDI’s policy intent. The Government is reviewing this lapse in co-ordination and communication between MDDI and ACRA, and I will elaborate on the scope of the review later.

31. Mr Xie Yao Quan asked about the length of time taken by ACRA to decide to disable the People Search function.

a. When public concerns first surfaced on 12 December 2024, MDDI and ACRA needed time to assess whether the disclosure of full NRIC numbers in the People Search function was consistent with MDDI’s policy intent, as well as the feasibility and lead time needed to effect alternatives. Disabling the search function was a last resort, given the impact on businesses and individuals who might need to use the People Search function to conduct their due diligence checks.

b. It was eventually agreed, out of the possible options, temporarily disabling the People Search function would best address public concerns while ACRA reviewed the People Search function. The function was disabled on the night of 13 December 2024.

c. Therefore, while the agencies could have been more prompt in their response, one must also have regard to the various considerations they were balancing at the time.

d. As part of the review, we will study how the Government could have responded more quickly.

32. Associate Professor Jamus Lim asked if ACRA intends to extend its fee-based tiered access policy to more personal data. ACRA has no plans to do so. The issue here, as I have explained, is not about collecting or disclosing more personal data, but the ease of access to and the searchability of existing personal data that is currently publicly accessible.

Security impact

33. Let me now move on to the queries about the scale of the disclosure.

34. First, I should emphasise that ACRA’s database does not contain information on all Singapore citizens. It contains information only on individuals who are reflected in filings or lodgements made with ACRA. These are individuals who are or have been involved in ACRA-registered entities, such as companies, partnerships, as well as non-profit organisations that are companies limited by guarantee.

35. If you or your authorised representative have not made any filing with ACRA before, your NRIC number would not have been collected or shared by ACRA. However, if you have incorporated a business or assumed a board directorship, your information would have been collected and made publicly available through the People Profile, or “Step 2”. The fee imposed at “Step 2” acts as a filter and makes it more likely that those accessing the People Profile information would have a good reason for doing so.

36. In respect of the period from 9 to 13 December 2024 when full NRIC numbers were disclosed on the People Search function, Mr Dennis Tan, Ms He Ting Ru, Mr Louis Chua and Dr Tan Wu Meng have asked about the number of People Searches conducted, the number of distinct users who conducted searches, the number of NRIC numbers that were disclosed before the People Search function on the new Bizfile portal was disabled, and the risk that NRIC numbers were accessed by malicious actors.

37. Based on the investigations so far, more than 500,000 queries were made on People Search during that 5-day period from 9 to 13 December 2024. This was much higher than the usual daily traffic of 2,000 to 3,000 queries. The bulk of these queries were made on 13 December 2024, the day after news of the NRIC numbers on the new Bizfile portal broke. These searches came from an estimated 28,000 IP addresses, most of which were from Singapore.

38. We are unable to identify the exact number of NRIC numbers that were disclosed through these queries, as the Bizfile portal is not configured to track individual queries for the People Search function.

39. ACRA and GovTech have since conducted a security review and identified that the security feature in the People Search function designed to distinguish between human users and computer bots was not working as intended. This has since been fixed.

40. Thus far, we have not uncovered any known threat actors, based on the IP addresses that were used to make the People Search queries between 9 and 13 December 2024.

41. That said, those who are concerned that their NRIC numbers may have been accessed can still take steps to protect themselves.

a. First, ensure that your NRIC number is not used as a password for any of your digital accounts. If you are using your NRIC number as a password, you should change your password as soon as possible.

b. Second, do not use your NRIC number for authentication. If you are currently using your NRIC number for that purpose, change your authenticator as soon as possible.

c. Third, do not assume someone to be a legitimate authority even if they know your NRIC number. Even if someone can recite your full NRIC number, it would be prudent to ascertain their identity and intent by conducting other checks.

42. Following this incident, ACRA is reviewing how the People Search function can be improved. For example, ACRA is considering the rollout of additional search parameters, such as the UEN of the entity with which the individual is associated.

Review

43. I now come to the last part of my statement, which is on the review of the incident and whether action will be taken against those involved.

44. As mentioned earlier, a Review Panel has been set up to study the root cause of the incident, and work is already underway. The Panel is led by Head of Civil Service Mr Leo Yip, and it includes Permanent Secretaries whose Ministries are not involved in the NRIC policy or this incident. It also includes the Permanent Secretaries of MOF, which oversees ACRA, and MDDI. The Panel will report to Senior Minister Teo.

45. The Panel will review two matters. First, the Government’s policy on the responsible use of NRIC numbers. Second, the disclosure of full NRIC numbers on the People Search function of ACRA’s new Bizfile portal.

46. For both matters, the Panel will study what happened, how the decisions were made, the implementation and communication processes, the co-ordination across public sector agencies, and where the Government should have done and can do better. It will also recommend areas for improvement. Specific to the People Search function on Bizfile, the Panel will look into the design and implementation of the search function. The Panel expects to complete its review in February. We will share the review findings thereafter.

47. Mr Don Wee asked how the disclosure of full NRIC numbers on the new Bizfile portal aligns with data protection policies under the Personal Data Protection Act (PDPA).

a. First, in the interest of corporate transparency, ACRA is legally allowed to disclose certain information, as I explained earlier.

b. Second, beyond such permitted disclosures, ACRA, as a public agency, is required to meet personal data protection standards set out in the Public Sector (Governance) Act (PSGA) and Government Instruction Manuals (IMs), which are standards similar to those under the PDPA. The PDPA applies to the private sector, whereas public agencies like ACRA are governed by the PSGA and the Government IMs. As the Panel is still ascertaining the full facts of this incident, it would be premature to conclude definitively whether there has been a breach of the PSGA or the Government IMs.

48. As for whether action will be taken against those involved, that depends on the outcome of the review. Based on the Panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of insufficient understanding of the policy intent and each party’s needs and requirements. Nevertheless, if the Panel uncovers facts that suggest actionable wrongdoing or serious lapses, it will refer the matter to the relevant bodies or authorities for further disciplinary or legal action.

Conclusion

49. Mr Speaker, in conclusion, there are three key points I wish to reiterate:

a. First, providing public access to information on business entities and their associated individuals, including NRIC numbers, is part of how ACRA upholds corporate transparency and deters wrongdoing. But this information only pertains to ACRA-registered entities and individuals who are reflected in filings or lodgements made with ACRA. ACRA does not have the NRIC numbers of all Singapore citizens.

b. Second, while MDDI intended for government agencies to cease using masked NRIC numbers, it did not intend for government agencies to unmask all the NRIC numbers that they were masking. The unmasking of NRIC numbers in the People Search function arose from ACRA’s misunderstanding of MDDI’s policy intent, and gaps in communication and co-ordination between agencies. That said, even if ACRA had been labouring under the wrong impression, it should have been more mindful of the need to balance corporate transparency and the likely public concerns over the ease of access to and searchability of personal information in the People Search function on the new Bizfile portal.

c. Third, the Government will learn from this episode and do better in the future. We are reviewing this incident thoroughly, and we will in due course share with the public the lessons learnt.

50. Let me conclude by saying something on behalf of ACRA. ACRA has acknowledged its mistake and is very sorry that this has happened. Since then, it has been doing its utmost to put things right and do better.

51. They worked throughout the festive period to get the revised People Search function in place and to test and check the system. At the same time, they have been assisting Bizfile users in navigating the revised search function.

52. ACRA will work on improving its services and step up its data management measures.

53. It will also support the Review Panel in identifying what went wrong and what could and should have been done better.

54. This brings me to the end of my statement. Mr Speaker, may I suggest that Members seek clarifications in three segments:

a. First, on the Government’s position on the use of NRIC numbers.

b. Second, on the events that led to the unmasking of NRIC numbers.

c. Third, any other clarifications.

2025/01/08

Did you find this page useful?

Before you start

Who must register with ACRA

Choosing a business structure

Reserving a business name

Addresses to register with ACRA

Foreigners registering a business in Singapore

Register your business

Starting a sole proprietorship/partnership

Setting up a local company

Registering a limited partnership

Registering a limited liability partnership

Transfer of Registration /Re-domiciliation

Incorporating a VCC

Other Useful Information

List of referral authorities

Corppass, licences, taxation etc.

Buying business information

Sole-proprietorships & Partnerships

Updating information of sole proprietorship

Renewing sole proprietorship

Common offences under the Business Names Registration Act

Closing the sole proprietorship

Variable Capital Companies

Setting up a VCC

Buying information for VCCs

Updating info of VCC and VCC officers

Register a charge for VCC

Filing annual returns for VCC

Companies

Filing Annual Returns

Holding Annual General Meeting

Registering a charge for companies

Striking off a company

Setting up Register of Registrable Controllers

Updating information of a company (include applying for alternate address)

Filing financial statements in XBRL format

Common offences for companies

Limited Liability Partnerships

Filing annual declarations

Appointing LLP manager

Closing a LLP

Updating information of LLP

Striking off an LLP

Limited Partnerships

Renewing a LP

Converting a limited partnership

Closing a limited partnership

Resignation of partners

Updating information of limited partnership

Common offences for limited partnership

Enforcement Policy

Overview

Investigation

Compliance and Enforcement measures

Filing a complaint

Making representation

Key statutory requirements

Holding AGM

Filing Annual Returns

Updating particulars of a company

Setting up Register of Registrable Controllers

Directors duties in relation to financial reporting

Offences

Offences for not holding AGM or filing ARs

Common Statutory offences

Common offences under the Business Names Registration Act

Common offences for Limited Partnerships

Common offences for Limited Liability Partnerships

Enforcement action

Disqualification of directors

ACRA-initiated striking off of companies

Composition fines

Enforcement Notices

Prosecution Highlights

Accounting Standards

Accounting Standards Committee

Pronouncements

Consultations

Submissions

Accounting Standards News