Singapore’s decision to stop masking identification numbers of citizens and residents has sparked debate on privacy and security, with cybersecurity experts agreeing that while access to such information alone does not pose risks, there is a danger when it is paired with other stolen personal data.
Advertisement
The issue surfaced after some users of the revamped digital service business portal, operated by the Accounting and Corporate Regulatory Authority (ACRA), found that they could access the identification card numbers of other individuals through a search function.
Singapore’s Ministry of Digital Development and Information (MDDI) apologised for the concern caused, explaining its intent was to change the existing practice of masking identification numbers – or National Registration Identity Card (NRIC), colloquially called “IC” – only after educating the public that it was safe.
“As a unique identifier, the NRIC number is assumed to be known, just as our real names are known. There should therefore not be any sensitivity in having one’s full NRIC number made public, in the same way that we routinely share and reveal our full names to others,” the ministry said in a statement on Saturday.
The Personal Data Protection Commission (PDPC), an agency which regulates and promotes data protection and sharing, also stressed that an NRIC should be used as an identifier rather than a means of authenticating identity.
“A person’s name and NRIC number identifies who the person is. Authentication is about proving you are who you claim to be. This requires proof of identity, for example, through a password, a security token or biometric data. As the NRIC number is not a secret, it should not be used by an organisation for authentication purposes.”