Skip to main content

Massive NRIC Leak with Over 500,000 NRIC Searches in 5 Days

 


More than 500,000 searches were made on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal between December 9 and 13, exploiting a flaw that revealed full NRIC numbers. This incident sparked widespread concern, prompting a ministerial response in Parliament on January 8.

Incident Overview

The new Bizfile portal was launched on December 9, and its free People Search function allowed users to access full NRIC numbers. Concerns surfaced on December 12, and the search function was disabled the following evening.

The surge in searches, far exceeding the typical daily average of 2,000–3,000, came predominantly on December 13 from approximately 28,000 IP addresses, most of which were from Singapore.

Second Minister for Finance Indranee Rajah explained that while the portal’s function to prevent automated bot searches failed, there is no evidence that malicious actors accessed the data.

Security Oversight and Response

Ms. Indranee acknowledged that the Bizfile portal did not track individual queries, making it impossible to determine the exact number of NRIC numbers disclosed. Acra and GovTech have since conducted a review, addressing the malfunctioning security feature.

The People Search function resumed on December 28, with NRIC numbers no longer displayed in search results.

Acra is also exploring additional parameters, such as using Unique Entity Numbers (UENs) in searches, to enhance data protection.

Scope of Data and Mitigation Advice

Ms. Indranee clarified that Acra’s database contains information only on individuals involved in Acra-registered entities, such as companies, partnerships, and non-profits.

She provided steps for individuals concerned about potential misuse of their NRIC numbers:

  1. Avoid using NRIC numbers as passwords for digital accounts and change any such passwords immediately.
  2. Refrain from using NRIC numbers for authentication purposes.
  3. Verify the identity and intent of individuals requesting NRIC details, even if they appear to know the number.

Lessons and Safeguards

The incident highlights vulnerabilities in systems managing sensitive personal data. While Acra has taken corrective measures, Ms. Indranee emphasized the importance of vigilance and better design in future systems to prevent similar breaches.

Labels:
Location: Singapore

Comments

Post a Comment

Popular posts from this blog

Voyeurism Charge Lands Former Sengkang General Hospital Doctor in Jail

  A doctor, Jonathan Soh Jingyao, aged 34, who previously worked at Sengkang General Hospital, has been sentenced to eight weeks in jail for a voyeurism charge despite his defence counsel arguing for a Mandatory Treatment Order (MTO). The sentencing took place on December 15. The voyeurism offense involved Soh using his phone to secretly film a woman showering in an apartment. While the relationship between Soh and the victim was redacted in court documents, a gag order protects her identity. The incident occurred on April 14, 2024. The victim was in the common toilet of the apartment when Soh held his phone up to the window connecting the kitchen and the toilet to film her. The victim noticed the phone near the window and immediately shouted, prompting Soh to quickly leave the kitchen. He later deleted the video from his phone and offered an apology to the woman, but her boyfriend subsequently made a police report on the same day. Soh, through his defence counsel Jeeva Joethy from...
Post a Comment
Read more

55-Year-Old Suspect Charged for Bukit Timah Restaurant Break-In

  On December 16, 2025, Singaporean Tang Hian Leng, 55, was charged with housebreaking and theft following an incident at the Korean fried chicken restaurant Oven & Fried Chicken, located at 16 Chun Tin Road in Bukit Timah. The alleged offence occurred on December 14, 2025, at approximately 1.14am, when  Tang is accused of breaking into and climbing through a toilet window to gain entry. He reportedly stole $155 from the establishment.   The police were notified at 11.42am that day. Through swift follow-up investigations, and by utilizing images from police cameras and CCTV, officers from the Clementi Police Division and the Police Operations Command Centre established Mr. Tang's identity. He was subsequently arrested within seven hours of the report being made. The offence of housebreaking and theft carries a maximum penalty of up to 10 years imprisonment and a fine.
Post a Comment
Read more

77-Year-Old Man Charged for Cutting Bird Trap, Allowing Three Crows to Escape

  A 77-year-old Singaporean man, Tan See Chee, was charged on Tuesday, December 16, for disrupting a National Parks Board (NParks) operation after he allegedly cut the cable ties of a crow trap, allowing three birds to escape. The incident occurred near Block 181, Lorong 4 Toa Payoh, on October 20 at about 5:50 PM. Tan is accused of mischief causing disruption to the performance of a public agency's function. Police identified him two days later using CCTV footage. The police issued a statement warning that they take a "serious view" of such acts of mischief against apparatus serving public functions. Tan informed the court he intends to plead guilty and will not engage a lawyer. If convicted, he faces up to 10 years in jail, a fine, or both. His plea date is set for January.
Post a Comment
Read more