Concerns about privacy and digital security have intensified as individuals reported the ease of accessing National Registration Identity Card (NRIC) numbers and other personal information through the Accounting and Corporate Regulatory Authority’s (ACRA) BizFile+ system.
Screengrab: ACRA
The portal allows retrieval of information such as NRICs, full names, and residential addresses for individuals linked to Singapore-registered businesses.
Veteran journalist Bertha Henson first highlighted the issue on 12 December 2024, noting that even individuals without direct business affiliations had their NRIC numbers exposed through the system. Her discovery of the portal’s vulnerability led to widespread public concern.
In addition, The Straits Times (13 Dec 2024) reported that for $33 per name, it was able to purchase full profiles of individuals, including their listed business address, current appointments, and past appointments.
Following the viral posts, ACRA appears to have disabled the "People" search function, although access to other data remains available. The broader concern remains about the low threshold for potential misuse of personal data (e.g. full names, NRICs, residential addresses) on their portal.
Adding to these concerns is ACRA's exemption from the Personal Data Protection Act (PDPA), given its role as the national business registry, which necessitates public access to certain business-related data for regulatory purposes. This exemption, however, brings challenges in balancing corporate transparency with personal privacy.
Real-Life Examples of Possible Data Misuse
The ease of accessing personal information through the portal raises significant risks. For example:
Credit Card Scams Abroad: Scammers and fraudsters can manipulate personal details, as seen in a recent case (10 Dec 2024) where fraudsters canceled credit cards and left victims stranded abroad
Impersonation by Scammers: In another alarming case, a scammer posing as an Interpol officer contacted a woman’s mother, reading out her address and NRIC number. This tactic sowed fear and confusion, illustrating how exposed personal information can be weaponized.
What Can You Do to Mitigate Risk in the Interim
Screengrabs: ACRA
While personal data retrieval through ACRA’s portal is challenging to control entirely, individuals can take a step to protect their privacy:
Use a Contact Address: Instead of listing a residential address in public records, provide a contact address such as an office or corporate service provider’s address. ACRA allows individuals to register a contact address for free, ensuring privacy without compromising accessibility.
Review Publicly Available Information: Check what personal details are accessible by the public. ACRA allows company officers to access company registers for free via Bizfile using Corppass. To be eligible for the fee waiver, you must login to Bizfile using Corppass and access these registers from your entity dashboard for free.
ACRA's Regulatory Changes
Screengrab: ACRA
With the passage of the ACRA (Registry and Regulatory Enhancements) Bill in July 2024, new measures are being introduced to enhance the protection of residential addresses. By year’s end, the new Contact Address regime will be fully implemented, automatically converting all Alternate Addresses into Contact Addresses.
Existing Alternate Address filing fees have been waived since August 2024, simplifying the transition process for individuals who wish to secure their personal information.
Moving Forward
Image: Pexels/Mati Mango
ACRA’s role as the national business registry involves balancing corporate transparency with personal privacy. These recent developments highlight the importance of individuals and organizations taking proactive steps to safeguard sensitive data, reducing the risk of personal information being misused in increasingly common scams.
For more information about updating your contact details or understanding ACRA’s privacy measures, please visit their official website here.
