On 26 June 2025, Singapore’s key data protection and cybersecurity authorities, the Personal Data Protection Commission (“PDPC”) and the Cyber Security Agency (“CSA”), issued a joint advisory (“Advisory”), with support from the Ministry of Digital Development and Information (“MDDI”) by way of a press release (“MDDI Press Release”), calling on private sector organisations to stop using NRIC numbers as passwords or authentication credentials. The Advisory echoes the MDDI and PDPC’s positions in media statements released in December 2024.
Background and Rationale
The Advisory comes amid growing concerns over the security of personal data and the risk of impersonation. National Registration Identity Card (“NRIC”) numbers, which are unique national identifiers issued to Singapore residents, have traditionally been used by some organisations as a means of authenticating individuals, particularly for accessing sensitive documents or services. However, authorities have cautioned that this practice is unsafe, as NRIC numbers may be known to multiple parties, making it easier for unauthorised individuals to impersonate others and gain access to confidential information.
Key Points of the Advisory and MDDI Press Release
The Advisory and MDDI Press Release raise several key points including the following:
- Distinction between Identification and Authentication: While NRIC numbers may be used by organisations to identify individuals (for example, over the phone or through digital services), they should not be relied upon to verify a person’s identity for the purpose of granting access to restricted information or services.
- Risks of using NRIC Numbers for Authentication: Using NRIC numbers as passwords or authentication factors exposes individuals to the risk of impersonation and data breaches, as these numbers are not secret and may be easily obtained or guessed.
- Moving away from NRIC-Based Authentication: Organisations currently using full or partial NRIC numbers for authentication are urged to transition to alternative methods as soon as possible. This includes ceasing the use of NRIC numbers as default passwords in password-protected files and avoiding combinations of NRIC numbers with other easily accessible personal data, such as dates of birth.
- Recommended Alternatives: The Advisory recommends the adoption of stronger authentication mechanisms, such as robust passwords, security tokens, or biometric identifiers (e.g., fingerprint or facial recognition). Organisations are encouraged to implement multi-factor authentication (“MFA”) where feasible, to further strengthen security.
Practical Steps for Organisations
Private sector organisations should consider implementing the following steps (where applicable) to align with the positions under the Advisory and MDDI Press Release:
- Review Current Practices: Organisations should conduct a thorough review of their authentication processes to identify and rectify any aspects that rely on NRIC numbers for authentication purposes or passwords.
- Implement Secure Alternatives: Where authentication is necessary, organisations should deploy secure alternatives, such as strong, unique passwords or biometric verification and consider implementing MFA.
- Educate Staff and Users: It is important to raise awareness among employees and users about the risks of using easily obtainable personal data for authentication and to promote best practices in password management and data security.
- Maintain Compliance and Governance: Organisations should document their authentication policies and ensure ongoing compliance with local laws, regulations and guidance, including regular reviews and updates as new threats emerge.
Conclusion
The Advisory from Singapore’s PDPC and CSA, along with the MDDI Press Release, marks a significant step towards strengthening the protection of personal data in the private sector. By moving away from the use of NRIC numbers as authentication credentials or passwords and embracing more secure alternatives, organisations can better safeguard individuals’ privacy and reduce the risk of identity-related incidents. As digital services continue to proliferate, robust authentication practices will remain a cornerstone of effective data protection and cybersecurity in Singapore.
Click here to refer to the Advisory from Singapore’s PDPC and CSA.
Click here to refer to the MDDI Press Release.
The information provided above does not, and is not intended to, constitute legal advice pertaining to the Advisory; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our Privacy Notice.