Singapore Warns Against using NRIC Numbers as Passwords Amid Data Breach Concerns
Singapore is urging private firms to ditch the practise of using National Registration Identity Card (NRIC) numbers as passwords, following a formal advisory issued on june 26, 2025, by the personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA). This move comes in response to growing concerns about impersonation and data breaches, especially after a significant leak via ACRA’s Bizfile portal last December [[2]].
The risks of NRIC Authentication
The advisory explicitly states that “NRIC numbers should not be used as passwords to authenticate a person” [[1]]. This is because NRIC numbers are unique identifiers and are assumed to be known by at least a few other individuals, making them vulnerable to misuse.
Did You know? In 2023, Singapore experienced a 10% increase in data leaks within the public sector, recording 201 cases.
Organizations are strongly advised to cease using full or partial NRIC numbers for authentication purposes promptly. This includes refraining from setting NRIC numbers as default passwords and avoiding the combination of NRIC numbers with other easily accessible personal data, such as dates of birth, for authentication [[3]].
Expert Insights and Alternative Solutions
Mayumi Soh, a technology expert at Pinsent Masons, emphasized the government’s commitment to enhancing data protection through this advisory. She highlighted the necessity for businesses to reassess their authentication protocols and implement more robust methods,such as multi-factor authentication or biometric verification.
Pro Tip: Multi-factor authentication (MFA) adds an extra layer of security by requiring users to provide two or more verification factors to gain access to an account.
The move is part of a broader initiative to bolster data security and prevent identity theft, particularly targeting private sector organizations, their IT and cybersecurity departments, and compliance officers responsible for ensuring adherence to the advisory.
Key Recommendations for Organizations
To comply with the new advisory, organizations should:
- Immediately stop using NRIC numbers as passwords.
- Implement multi-factor authentication.
- Explore biometric verification methods.
- Review and update data protection protocols.
| Date | Event |
|---|---|
| December 2024 | Major data leak via ACRA’s Bizfile portal. |
| June 26,2025 | PDPC and CSA issue formal advisory against using NRIC numbers as passwords. |
| July 2025 | Organizations urged to implement alternative authentication methods. |
The Broader Context of Data security in Singapore
Singapore has been actively working to strengthen its data protection framework in recent years. The advisory against using NRIC numbers as passwords is just one component of a larger strategy to safeguard personal data and prevent cybercrime. As technology evolves,so too must the measures taken to protect sensitive information.
Evergreen Insights: Background, context, Historical Trends
The push for stronger data protection measures in Singapore reflects a global trend towards greater awareness of cybersecurity risks. As digital transactions and online interactions become increasingly prevalent, the need to protect personal data has never been more critical. Singapore’s proactive approach to data security positions it as a leader in the region.
FAQ: NRIC Numbers and Password Security
-
Why is Singapore advising against using NRIC numbers as passwords?
The Personal Data Protection Commission (PDPC) and Cyber Security Agency of Singapore (CSA) are advising against using National Registration Identity Card (NRIC) numbers as passwords due to the increasing risk of impersonation and data breaches. NRIC numbers are unique identifiers and should not be used for authentication [[1]].
-
What are the risks of using NRIC numbers for authentication?
Using NRIC numbers for authentication poses significant security risks,including impersonation and data breaches.If an NRIC number is compromised, it can be used to access personal information and services, leading to identity theft [[2]].
-
What should organizations do instead of using NRIC numbers as passwords?
Organizations should stop using full or partial NRIC numbers for authentication quickly. They should not set NRIC numbers as default passwords or use them in combination with other easily obtainable personal data. Robust methods such as multi-factor authentication or biometric verification should be adopted.
-
When did the advisory against using NRIC numbers as passwords come into effect?
The formal advisory was issued on June 26, 2025, by the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA) [[1]].
-
Who is affected by this advisory?
This advisory is especially relevant to private sector organizations, their IT and cybersecurity departments, and compliance officers responsible for ensuring adherence to data protection guidelines. The goal is to enhance data security and prevent identity theft.
-
What alternative authentication methods are recommended?
Experts recommend that businesses review their authentication protocols and adopt robust methods and solutions, such as multi-factor authentication or biometric verification, to enhance data protection and security.
are you concerned about the security of your online accounts? What steps are you taking to protect your personal data?
Share your thoughts and experiences in the comments below and subscribe to our newsletter for the latest updates on data security and privacy!
