WHAT DIDN’T ACRA UNDERSTAND ABOUT THE INTERNAL GOVERNMENT CIRCULAR
Several opposition MPs had also asked for more details on the internal government circular that was tied to the ACRA Bizfile incident and sent out in July.
In December, ACRA chief executive Chia-Tern Huey Min said, during a press conference, that the unmasking of NRIC numbers in the new Bizfile portal was due to a lapse of coordination between the staff on how this was to be implemented.
This resulted in ACRA misunderstanding that it should unmask NRIC numbers in the new Bizfile portal.
MP Sylvia Lim (WP-Aljunied) noted that ACRA had sought clarification from MDDI and asked about the nature of the clarification.
She also asked whether the review panel could share its minutes with the public, after it released its findings, so that “people can form their own judgment on how this misunderstanding could have occurred”.
In response, Ms Indranee said it was clear that the policy intent was not clearly understood and in some cases, there was a lapse in coordination. She declined to elaborate as the review panel will look at it in detail.
She added that she would leave it up to the review panel to decide whether it wants to release its minutes.
Non-constituency MP Leong Mun Wai asked whether any political officeholders cleared the internal government circular.
“My clarification is this … whether any political officeholders were giving directions when the civil servants in ACRA and MDDI were clarifying with each other on the instructions of the circular,” he asked.
“Depending on the answers, I would like to know whether our civil servants have been thrown under the bus.”
Responding to his question, Ms Indranee said no political officeholders were involved in the circular or giving direction on it, but added that he should wait for the findings of the after-action review.
PROHIBITING NRIC NUMBERS AS AUTHENTICATORS
Pointing out that large, regulated organisations such as insurers were reportedly still using NRIC numbers as default passwords, MP Gerald Giam (WP-Aljunied) asked if the government will legally prohibit government agencies and organisations from using NRIC numbers as authenticators and do so by a certain deadline.
In response, Mrs Teo said the practices for the private sector will have to be decided upon consultation.
“I do not want to say what the landing point is going to be, but even without a legal prohibition, I think organisations, if they care about their data security, and they care about protecting the data that they have in their possession or the services being accessed by people who are not intended to enjoy the service … should really rethink their authentication methods.
“Their customers ought to be sensitised to this too, that when the NRIC number is being used by an organisation as an authenticator, it’s actually not safe at all.”
Sharing her personal experience, WP’s Ms Lim said some banks still require customers to produce their physical NRIC card for authentication and asked if the digital NRIC card could be used instead.
Mrs Teo said the digital NRIC card would be acceptable as an authenticator as it contains a person’s photograph.
“We have said quite clearly that the production of this digital NRIC card … is the same as producing the physical NRIC card. So I think that part is quite clear.”
