ACRA's full NRIC disclosure controversy

The full NRIC disclosure controversy refers to the public backlash in December 2024 over the Accounting and Corporate Regulatory Authority's (ACRA) new Bizfile platform, which allowed users to access individuals’ full National Registration Identity Card (NRIC) numbers for free through its search function.

The incident prompted widespread privacy concerns, government apologies, and renewed scrutiny of Singapore's data protection laws.

Background

ACRA launched its revamped Bizfile platform on 9 December 2024 to enhance accessibility and transparency for business-related data. ^[1]

However, the platform’s search function allowed the public to retrieve full NRIC numbers of individuals associated with businesses, including directors and shareholders, without logging in or paying a fee.

Previously, under the older Bizfile system, NRIC numbers were masked, showing only the last three digits and letter (e.g., ****456A).

Access to full NRIC numbers required users to make a payment and was typically intended for professional or regulatory purposes.

Public Outcry

The unmasking of NRIC numbers gained attention after former journalist Bertha Henson highlighted the issue in a Facebook post on 12 December 2024.

She noted that full NRIC numbers could be accessed with ease and flagged potential risks, such as identity theft and fraud.

Her post went viral, sparking widespread alarm on social media.

Concerns escalated when it was revealed that full NRIC numbers of prominent individuals, including Cabinet ministers, were also accessible via the platform.

Critics pointed out that such disclosures posed serious privacy risks, particularly in light of past enforcement actions by the Personal Data Protection Commission (PDPC) against organisations for exposing NRIC data.

Privacy Concerns and Exemptions

The controversy drew further scrutiny when it was revealed that ACRA, as a statutory board, is exempt from the Personal Data Protection Act (PDPA), which governs the collection, use, and disclosure of personal data by private organisations.

This exemption meant ACRA faced no penalties for exposing full NRIC numbers, unlike private entities, which are held to stricter standards.

Legal and Governance Questions

Observers criticised the government’s lack of coordination and transparency. The Ministry admitted that changes to NRIC masking practices had not yet been fully implemented or debated in Parliament, raising questions about governance and accountability.

The PDPA explicitly requires organisations to implement “reasonable security arrangements” for sensitive personal data like NRIC numbers.

The Advisory Guidelines on PDPA for NRIC and Other National Identification Numbers, introduced in 2018, was removed from the Personal Data Protection Commission’s (PDPC) website. A notice on the page stated: “The document is temporarily unavailable as it is undergoing updates.”

Media Coverage and Public Statements

The controversy received limited attention in local media initially and was only reported more extensively after the issue went viral on social media and following the statements issued by MDDI and ACRA on 14 December 2024.

Government and ACRA Response

On 14 December 2024, the Ministry of Digital Development and Information (MDDI) acknowledged the public backlash and issued an apology^[2].

It admitted that ACRA’s unmasking of NRIC numbers on the Bizfile platform was premature and “ran ahead of the government’s intent” to phase out the masking of NRIC numbers.

ACRA also issued a statement accepting responsibility for the lapse, stating: "We recognise that we moved ahead with unmasking before adequately preparing the ground."^[3]

Both agencies emphasised that the unmasking was part of a broader government initiative to reduce reliance on masked NRIC numbers, which MDDI justified as unnecessary and providing a “false sense of security.”

Following the backlash, ACRA temporarily disabled the search function on 13 December 2024 and later suspended it entirely, confirming that it would refine the platform to better balance privacy concerns and corporate transparency.

MDDI also announced plans for a public education campaign in 2025 to address misconceptions about NRIC numbers and their use as unique identifiers.

Response from Personal Data Protection Commission

Following the statements issued by MDDI and ACRA, the Personal Data Protection Commission (PDPC) released its own statement on late 14 December, emphasizing the appropriate and inappropriate uses of NRIC numbers.

Specifically, the PDPC advised against individuals using NRIC numbers as passwords and against organisations relying on NRIC numbers to authenticate identities or set default passwords.

The PDPC highlighted that NRIC numbers, being identifiers rather than secrets, are unsuitable for authentication. Organisations are urged to phase out practices that involve NRIC numbers as default passwords and implement secure authentication methods, such as complex passwords, multi-factor authentication (MFA), or biometric verification.

The statement further underscores the importance of adhering to the PDPA’s data protection obligations, requiring valid consent, reasonable use, and robust safeguards for all collected NRIC data.

For individuals, the PDPC strongly recommended against using NRIC numbers as passwords, advising anyone who has done so to immediately update their credentials. The Commission outlined best practices for password creation, including the use of at least 12 alphanumeric characters with a mix of uppercase, lowercase, numbers, and phrases, referencing guidelines issued by CSA.

Acknowledging feedback from the public, the PDPC announced its intent to update the advisory guidelines on NRIC and National Identification Numbers to align with the MDDI and ACRA statements.

However, it clarified that no further changes would be made until consultations with industry stakeholders and the public are completed to ensure the new guidelines reflect the updated policy intent.

Timeline of events