Skip to main content

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Ministry of Digital Development and Information
  1. Home
  2. Newsroom
  3. Stopping the Use of NRIC Numbers as Passwords in the Private Sector
Press releases

Stopping the Use of NRIC Numbers as Passwords in the Private Sector

26 June 2025

Singapore, 26 June 2025 – Since January, the Government has been taking steps to ensure the proper use of National Registration Identity Card (NRIC) numbers in the private sector, to better protect citizens. The Personal Data Protection Commission (PDPC) and Cyber Security Agency (CSA) issued an advisory today to guide private sector organisations to stop using NRIC numbers to prove that a person is who he claims to be. This advisory has been posted on the PDPC and CSA websites. The Government is also working with regulated sectors such as finance, healthcare, and telecommunications to develop sector-specific guidance in the coming months.

Guiding Private Sector Organisations on Safe Authentication Practices

2. While organisations may use NRIC numbers to identify who a person is over the phone or when using digital services, NRIC numbers should not be used to prove that a person is who he claims to be (authenticate the person) for the purposes of trying to gain access to services or information meant only for that person.

3. Currently, private sector organisations may require a person to use his NRIC number as a password to gain access to information intended only for him, for instance, in insurance documents. It is unsafe for organisations to use NRIC numbers in this manner because a person’s NRIC number may be known to others, permitting anyone who knows his NRIC number to impersonate him and easily access his personal data or records.

4. Organisations that are using full or partial NRIC numbers to authenticate persons should transition away from this practice as soon as possible. This includes not setting NRIC numbers as default passwords (e.g., in password-protected files sent via e-mail), and not using full or partial NRIC numbers together with other easily obtainable personal data (e.g., passwords combining an individual’s partial NRIC number and date of birth, such as “567A01Jan80”).

5. If it is necessary to authenticate a person, organisations should consider alternative methods, for example requiring the person to use strong passwords, security token or fingerprint identification.

6. The Government remains committed to protecting citizens’ personal data and ensuring its secure use for rightful purposes.

Back to top