On 25 June 2025, the Personal Data Protection Commission (PDPC) and the Cyber Security Agency of Singapore (CSA) issued a joint advisory cautioning organisations against using NRIC numbers as a means of authenticating individuals’ identities.
Key Concerns:
-
NRIC numbers are not secret and are often disclosed for legitimate purposes (e.g., registration, verification), making them unsuitable as authenticators.
-
Use of static identifiers like NRIC numbers increases cybersecurity risks, including impersonation, phishing, and identity theft.
-
The advisory follows incidents of personal data misuse and reflects heightened expectations around data protection and authentication best practices.
Recommended Considerations for Authentication:
Organisations should adopt multi-factor authentication (MFA) and avoid relying on a single static data point. Recommended alternatives include:
-
Something the person knows
– e.g., password, PIN, or secret question. -
Something the person has
– e.g., a one-time password (OTP) sent via SMS/email, hardware token, or authenticator app. -
Something the person is
– e.g., biometric verification such as fingerprint or facial recognition. -
Verified contact mechanisms
– Using verified mobile numbers or email addresses to issue authentication codes or alerts.
Compliance and Risk Management Implications:
-
Organisations collecting NRIC numbers must strictly limit their use to legitimate business purposes and not extend them to identity authentication.
-
The shift away from NRIC-based authentication supports Data Protection by Design principles and enhances resilience against digital impersonation threats.
-
Businesses are urged to review and update legacy systems and processes that still depend on NRICs for logins, verification, or access control.
For the actual joint statement, it can be found below:
TALK TO US TODAY
For more information on how we can help your company comply with the PDPA easily and cost-effectively, contact us for a FREE consultation.