SINGAPORE: Private sector organisations should stop using National Registration Identity Card (NRIC) numbers to authenticate individuals or as passwords, said the Ministry of Digital Development and Information of Singapore (MDDI), citing risks of impersonation and data breaches.
The Personal Data Protection Commission (PDPC) and the Cyber Security Agency (CSA) issued a formal advisory on Thursday (Jun 26), guiding companies to stop using NRIC numbers to prove a person’s identity.
“While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be … for the purposes of trying to gain access to services or information meant only for that person,” said MDDI.
The ministry noted that currently, private sector organisations may require people to use their NRIC numbers as passwords to access information intended only for them, such as in insurance documents.
“It is unsafe for organisations to use NRIC numbers in this manner because a person’s NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or record.”
Hence, companies that are using full or partial NRIC numbers for authentication purposes should move away from this practice as soon as possible, said MDDI.
This includes not setting NRIC numbers as default passwords in password-protected files sent via email, and not using the full or partial numbers together with other easily obtainable personal data, such as date of birth.
“If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification,” said MDDI.
The ministry added that the government is also working with regulated sectors, including finance, healthcare and telecommunications, to develop sector-specific guidance in the coming months.
