It opens up lots of possibilities (as to what) people can do. So this change in policy, which was apparently acted on by ACRA much earlier than the rest of the government agencies, allows a window of opportunity for cyber criminals to harvest the data.
Whether or not NRIC remains something that should be protected, whether NRIC is a unique identifier, whether NRIC is your full name, that honestly does not really matter in the world of cyber crime. Essentially, this data can be used and it has been used to actually do evil and do harm.
Crispina Robert, host:
Let me pick up on something you said, Aaron. I know you said that, okay this is quite shocking, but MDDI has said that, “Look, it’s kind of pointless to mask it because the algorithms are so advanced.” Basically the scammers out there have become quite sophisticated …
I think what sits uncomfortably is that all this while, PDPA says don’t collect (the) full IC number, right? And now they’re saying, okay, the full IC number is not as vulnerable as we thought it was, or we initially made it out to be. Is there some kind of a mismatch between the PDPA requirements (and the policy)?
Steve Tan, Rajah & Tann Singapore:
I mean, we can’t obfuscate the fact that through the years we’ve been really conditioned to the fact that, yes, we’ve got to treat national identification numbers carefully because it’s immutable, and it in itself, is like your master key right, to unlocking lots of access to other platforms, data and stuff like that. And of course, now that you see a change coming from the pronouncement from MDDI (with the media release on Dec 13). Then PDPC came up with the release on Dec 14, right? And the jury is not out yet, right?
If you read that release carefully, they’re focusing on authentication, on password access.
