Skip to main content

Massive NRIC Leak with Over 500,000 NRIC Searches in 5 Days

 


More than 500,000 searches were made on the Accounting and Corporate Regulatory Authority’s (Acra) Bizfile portal between December 9 and 13, exploiting a flaw that revealed full NRIC numbers. This incident sparked widespread concern, prompting a ministerial response in Parliament on January 8.

Incident Overview

The new Bizfile portal was launched on December 9, and its free People Search function allowed users to access full NRIC numbers. Concerns surfaced on December 12, and the search function was disabled the following evening.

The surge in searches, far exceeding the typical daily average of 2,000–3,000, came predominantly on December 13 from approximately 28,000 IP addresses, most of which were from Singapore.

Second Minister for Finance Indranee Rajah explained that while the portal’s function to prevent automated bot searches failed, there is no evidence that malicious actors accessed the data.

Security Oversight and Response

Ms. Indranee acknowledged that the Bizfile portal did not track individual queries, making it impossible to determine the exact number of NRIC numbers disclosed. Acra and GovTech have since conducted a review, addressing the malfunctioning security feature.

The People Search function resumed on December 28, with NRIC numbers no longer displayed in search results.

Acra is also exploring additional parameters, such as using Unique Entity Numbers (UENs) in searches, to enhance data protection.

Scope of Data and Mitigation Advice

Ms. Indranee clarified that Acra’s database contains information only on individuals involved in Acra-registered entities, such as companies, partnerships, and non-profits.

She provided steps for individuals concerned about potential misuse of their NRIC numbers:

  1. Avoid using NRIC numbers as passwords for digital accounts and change any such passwords immediately.
  2. Refrain from using NRIC numbers for authentication purposes.
  3. Verify the identity and intent of individuals requesting NRIC details, even if they appear to know the number.

Lessons and Safeguards

The incident highlights vulnerabilities in systems managing sensitive personal data. While Acra has taken corrective measures, Ms. Indranee emphasized the importance of vigilance and better design in future systems to prevent similar breaches.

Labels:
Location: Singapore

Comments

Post a Comment

Popular posts from this blog

Doctor Faces Jail Time For Negligent Aesthetic Treatment Leading To Patient Death

  A thirty seven year old medical practitioner named Chan Bingyi is facing a potential prison sentence of between eighteen and twenty four months following his conviction for a negligent act that resulted in the death of a patient. On April 21 2026 the prosecution presented its sentencing arguments before the court highlighting the severity of the lapse in medical judgment that occurred in 2019. The case involves the death of Lau Li Ting a thirty one year old property agent who passed away following an aesthetic treatment. The incident took place on March 8 2019 at the Revival Medical & Aesthetics Centre located in Bras Basah Road. Ms Lau had visited the clinic situated within the Esplanade Xchange shopping mall for aesthetic purposes specifically hoping to address fine lines on her forehead. During the visit Chan intravenously administered ethylenediaminetetraacetic acid or EDTA to the patient. Court documents and expert testimony emphasized that there was no medical necessity...
Post a Comment
Read more

ICA Officers Arrested Sri Lankan Overstayer in Woodlands Rooftop Garden

  A twenty seven year old Sri Lankan national was apprehended by the Immigration and Checkpoints Authority during a strategic pre-dawn operation on April 8 2026. The individual was located while he was sleeping in a rooftop garden area situated above a Housing and Development Board multi-storey carpark in Woodlands. A team consisting of eleven plainclothes officers participated in the mission after receiving specific intelligence regarding the man's immigration status. Official records indicated that the suspect was an overstayer whose social visit pass had reached its expiration date on June 28 2025. The operation took place at Block 574 Woodlands Drive 16 where the suspect was observed in the company of another foreign individual. To ensure a successful apprehension the officers conducted several hours of surveillance to monitor the movements of the two men and to identify potential exit points. Once all escape routes were effectively secured the team moved in to conduct identity...
Post a Comment
Read more

Ride-Hailing Giant Grab Expands with New Taxi Fleet

  Grab has officially received a street-hail operator licence, marking its entry into Singapore’s taxi industry as the sixth licensed taxi operator. The licence was awarded to its subsidiary, GrabCab, and will take effect on April 9, 2025, for a duration of 10 years. The Land Transport Authority (LTA) announced this development on April 2, 2025, highlighting that the move will offer more options for drivers and passengers while expanding the availability of taxis. Under the terms of the licence, GrabCab is required to progressively grow its fleet to at least 800 taxis within the first three years. LTA emphasized that GrabCab must comply with all safety and operational regulations, ensuring that its vehicles meet specific standards. These include having a distinctive livery and a prominent roof-top sign for easy identification by passengers looking for street-hail taxis. Additionally, the taxis must have sufficient boot space to accommodate a folded wheelchair or luggage. GrabCab’s ...
Post a Comment
Read more