• 03 July, 2025
• No Comments

Advisory: 3 Critical Lessons from the PDPC-CSA Warning on NRIC Use

On 26 June 2025, Singapore’s data protection and cybersecurity authorities, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA), issued a joint advisory urging private sector organisations to cease using National Registration Identity Card (NRIC) numbers as a method of authentication. The move follows growing concern that NRIC numbers, which serve as unique identifiers, are being misused as passwords or credentials that grant access to services and personal data.

The advisory emphasises a key distinction: identification and authentication are not interchangeable concepts. Identification merely asserts who a person is, for instance, using an NRIC number to differentiate one customer from another. Authentication, by contrast, requires proof that the individual genuinely is who they claim to be, before granting access to protected services or data.

The danger arises when organisations treat an easily accessible ID number, such as the NRIC, as a secret credential. Since NRIC numbers have likely been shared or exposed multiple times, such as on forms, documents, and databases, they do not provide exclusive proof of identity. This misuse blurs a fundamental line in data protection: identifying an individual is permissible for administrative needs, but authenticating requires secure, confidential credentials. Thus, barring statutory exceptions, NRIC numbers should never be relied upon to confirm a person’s identity for sensitive transactions.

The agencies’ advisory reinforces that authentication must be based on something only the user knows (strong passwords), something they possess (security tokens), or something they inherently are (biometrics).

Why the warning matters now

The advisory is grounded in clear examples of the stakes involved. A key incident arose in December 2024, when the Accounting and Corporate Regulatory Authority (ACRA) unintentionally allowed public viewing of full NRIC numbers through its Bizfile portal. The ensuing public uproar forced government agencies to review their ID-handling practices. In response, the Ministry of Digital Development and Information (MDDI) and PDPC issued statements reiterating that NRIC numbers should no longer serve as authentication factors.

The recent joint advisory takes a broader, more stringent stance. PDPC has previously penalised organisations that misused NRIC numbers as default passwords. Since these numbers are unlikely to be secret, authentication based on them creates high risks of impersonation and data breaches. This advisory, therefore, acknowledges systemic vulnerabilities in current private sector practices and encourages firms to adopt secure alternatives immediately.

The PDPC and CSA advise organisations to take a risk-based approach when selecting authentication methods. They should assess the sensitivity and value of the information at stake, weigh potential threats, and consider user convenience and accessibility.

For low-risk transactions, strong passwords may suffice. For higher-risk actions, such as accessing financial records or confidential health data, organisations should implement multi‑factor authentication, combining passwords with physical tokens or biometric verification.

Adapting authentication levels to the scenario not only enhances security but also improves user experience. The advisory encourages organisations to migrate away from NRIC-based methods and embrace robust authentication while ensuring services remain accessible. This dual focus on usability and protection reflects modern cybersecurity best practices and regulatory expectations in Singapore.

Practical steps for organisations to implement change

Organisations are urged to review their current authentication processes and eradicate any that rely on full or partial NRIC numbers. They must update default password policies, eliminate weak credentials, and train staff and users to use secure, opaque passwords or passphrases that are not easy to guess. Many institutions may find that implementing multi‑factor authentication tools, such as SMS or app‑based codes, security keys, or biometric scans, provides the level of assurance required for sensitive services.

Additionally, ongoing governance matters: policies should be documented clearly, educator resources deployed, and compliance monitored. Organisations should also align with existing PDPC guidelines, such as the Guide to Data Protection Practices for ICT Systems, and CSA’s cyber hygiene resources. Adopting a comprehensive view of authentication ensures not only compliance but also public trust.

Why the advisory signals a turning point in Singapore’s data protection landscape

The joint PDPC‑CSA advisory represents a pivotal moment in Singapore’s data protection landscape. By urging the private sector to end reliance on NRIC numbers for authentication, these agencies are signalling a commitment to robust, risk‑based online security.

Organisations that fail to act leave themselves and their users vulnerable to impersonation, fraud, and reputational damage. Following this directive requires more than policy updates; it demands a shift towards stronger authentication methods, comprehensive staff training, and consistent oversight.

Modern cyber hygiene begins with acknowledging that unique identifiers like NRIC numbers are inadequate for authentication. It must be bolstered by multi‑factor verification and guided by expert oversight. While there is no one‑size‑fits‑all solution, Singapore’s advisory offers clear principles that private organisations can adapt today to strengthen trust in the digital economy.

For organisations looking to strengthen their data protection posture beyond compliance, it is essential to work with experienced partners who understand the evolving threat landscape. Technical safeguards must go hand in hand with policy reforms, employee training, and regular risk assessments. One effective way to achieve this is by engaging external experts who can help organisations implement comprehensive, end-to-end strategies for both prevention and response.

Trusted providers like Privacy Ninja offer a full suite of data protection services, including Vulnerability Assessment and Penetration Testing (VAPT), outsourced Data Protection Officer-as-a-Service (DPOaaS), Smart Contract Audits, and Data Breach Management support. Whether your organisation is just beginning its compliance journey or needs help strengthening its existing framework, working with a reliable partner ensures that your cybersecurity measures are not only fit for purpose but also future-ready.