SINGAPORE: More than 500,000 searches were made on a government business filing website over five days in December after news emerged that people's names and full National Registration Identity Card (NRIC) numbers could be found.
This was much higher than the usual 2,000 to 3,000 daily queries made on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile website, said Second Minister for Finance Indranee Rajah in parliament on Wednesday (Jan 8).
The website's updated search function was launched on Dec 9 and most of the queries were made on Dec 13, the day after news of the NRIC numbers broke. The search function was disabled on the night of Dec 13.
The searches came from an estimated 28,000 Internet Protocol (IP) addresses, most of which were from Singapore.
However, the authorities are unable to identify the exact number of NRIC numbers disclosed as the Bizfile portal is not configured to track individual queries, Ms Indranee said in a ministerial statement delivered in response to a spate of parliamentary questions over the recent saga.
The minister also noted that a security feature designed to distinguish between human users and computer bots in the portal’s search function “was not working as intended”, following a security review by ACRA and GovTech.
“This has since been fixed,” Ms Indranee told the House.
“Thus far, we have not uncovered any known threat actors based on the IP addresses that were used to make the people search queries between Dec 9 and 13.”
After a public outcry over privacy concerns, the government said on Dec 14 it had intended to change its practice of masking NRIC numbers only after explaining to citizens, but the new portal was launched before it could do so.
It apologised in a press conference on Dec 19 for the “lapse of coordination”.
Once again acknowledging the public’s concerns over the change in NRIC policy, Ms Indranee and Minister for Digital Development and Information Josephine Teo stressed in their ministerial statements that it was “not the government’s intent for agencies to make datasets of NRIC numbers in their possession widely and easily accessible”.
“I want to start by acknowledging the public anxiety and confusion caused by this incident and once again extend our apologies for it,” said Ms Indranee.
“Many Singaporeans regard NRIC numbers as sensitive information and are understandably concerned to learn that NRIC numbers were available in full in the free people search function of ACRA’s new Bizfile portal from Dec 9 to 13. We take these concerns very seriously.”
While public concerns over the search function surfaced on Dec 12, the government needed time to assess whether the disclosure of full NRIC numbers was consistent with its "policy intent, as well as the feasibility and lead time needed to effect alternatives", Ms Indranee said.
Disabling the search function on Dec 13 was a "last resort", given the impact on businesses and individuals who might need to use the people search function to conduct their due diligence checks, she said.
“It was eventually agreed that, out of the possible options, temporarily disabling the people search function would best address public concerns while ACRA reviewed the people search function.”
Ms Indranee acknowledged that the agencies “could have been more prompt in their response” and an ongoing review will study how the government could have responded more quickly.
A review panel, led by the head of civil service Leo Yip and reporting to Senior Minister Teo Chee Hean, has been set up.
Ms Indranee said the panel will review the government’s policy on the responsible use of NRIC numbers and the disclosure of full NRIC numbers on ACRA’s new Bizfile portal.
“For both matters, the panel will study what happened, how the decisions were made, the implementation and communication processes, the coordination across public sector agencies, and where the government should have done and can do better,” she told the House.
“It will also recommend areas for improvement. Specific to the people search function on Bizfile, the panel will look into the design and implementation of the search function.
Work is underway and the panel expects to complete its review in February and will share its findings thereafter.
Following this incident, ACRA is also reviewing how its people search function can be improved.
For example, ACRA is considering the rollout of additional search parameters, such as the unique entity number (UEN) with which the individual is associated.
As for whether action will be taken against those involved, the minister said that will depend on the outcome of the review.
“Based on the panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of insufficient understanding of the policy intent and each party’s needs and requirements,” said Ms Indranee.
“Nevertheless, if the panel uncovers facts that suggest actionable wrongdoing or serious lapses, it will refer the matter to the relevant bodies or authorities for further disciplinary or legal action.”
Continue reading...
This was much higher than the usual 2,000 to 3,000 daily queries made on the Accounting and Corporate Regulatory Authority’s (ACRA) Bizfile website, said Second Minister for Finance Indranee Rajah in parliament on Wednesday (Jan 8).
The website's updated search function was launched on Dec 9 and most of the queries were made on Dec 13, the day after news of the NRIC numbers broke. The search function was disabled on the night of Dec 13.
The searches came from an estimated 28,000 Internet Protocol (IP) addresses, most of which were from Singapore.
However, the authorities are unable to identify the exact number of NRIC numbers disclosed as the Bizfile portal is not configured to track individual queries, Ms Indranee said in a ministerial statement delivered in response to a spate of parliamentary questions over the recent saga.
The minister also noted that a security feature designed to distinguish between human users and computer bots in the portal’s search function “was not working as intended”, following a security review by ACRA and GovTech.
“This has since been fixed,” Ms Indranee told the House.
“Thus far, we have not uncovered any known threat actors based on the IP addresses that were used to make the people search queries between Dec 9 and 13.”
After a public outcry over privacy concerns, the government said on Dec 14 it had intended to change its practice of masking NRIC numbers only after explaining to citizens, but the new portal was launched before it could do so.
It apologised in a press conference on Dec 19 for the “lapse of coordination”.
Related:
Once again acknowledging the public’s concerns over the change in NRIC policy, Ms Indranee and Minister for Digital Development and Information Josephine Teo stressed in their ministerial statements that it was “not the government’s intent for agencies to make datasets of NRIC numbers in their possession widely and easily accessible”.
“I want to start by acknowledging the public anxiety and confusion caused by this incident and once again extend our apologies for it,” said Ms Indranee.
“Many Singaporeans regard NRIC numbers as sensitive information and are understandably concerned to learn that NRIC numbers were available in full in the free people search function of ACRA’s new Bizfile portal from Dec 9 to 13. We take these concerns very seriously.”
While public concerns over the search function surfaced on Dec 12, the government needed time to assess whether the disclosure of full NRIC numbers was consistent with its "policy intent, as well as the feasibility and lead time needed to effect alternatives", Ms Indranee said.
Disabling the search function on Dec 13 was a "last resort", given the impact on businesses and individuals who might need to use the people search function to conduct their due diligence checks, she said.
“It was eventually agreed that, out of the possible options, temporarily disabling the people search function would best address public concerns while ACRA reviewed the people search function.”
Ms Indranee acknowledged that the agencies “could have been more prompt in their response” and an ongoing review will study how the government could have responded more quickly.
REVIEW TO BE COMPLETED IN FEBRUARY
A review panel, led by the head of civil service Leo Yip and reporting to Senior Minister Teo Chee Hean, has been set up.
Ms Indranee said the panel will review the government’s policy on the responsible use of NRIC numbers and the disclosure of full NRIC numbers on ACRA’s new Bizfile portal.
“For both matters, the panel will study what happened, how the decisions were made, the implementation and communication processes, the coordination across public sector agencies, and where the government should have done and can do better,” she told the House.
“It will also recommend areas for improvement. Specific to the people search function on Bizfile, the panel will look into the design and implementation of the search function.
Work is underway and the panel expects to complete its review in February and will share its findings thereafter.
Following this incident, ACRA is also reviewing how its people search function can be improved.
For example, ACRA is considering the rollout of additional search parameters, such as the unique entity number (UEN) with which the individual is associated.
As for whether action will be taken against those involved, the minister said that will depend on the outcome of the review.
“Based on the panel’s preliminary findings, the incident seems to be a genuine case of miscommunication borne out of insufficient understanding of the policy intent and each party’s needs and requirements,” said Ms Indranee.
“Nevertheless, if the panel uncovers facts that suggest actionable wrongdoing or serious lapses, it will refer the matter to the relevant bodies or authorities for further disciplinary or legal action.”
Related:
Continue reading...