Assistance for Victims of Incident Involving Address Changes Via ICA System, Punishment for Perpetrators and Remedial Actions to Correct System or Process

8 Ms Joan Pereira asked the Minister for Home Affairs (a) what assistance has been provided to the victims of the unauthorised home address changes performed on the ICA website; and (b) what punishment will be meted out to the perpetrators who did the changes.

9 Mr Leong Mun Wai asked the Minister for Home Affairs whether the recent cases of unauthorised change of address using ICA's e-service have affected other Government services such as the distribution of CDC Vouchers and the calculation of Government benefits payable to the affected individuals.

10 Mr Leong Mun Wai asked the Minister for Home Affairs whether the Immigration and Checkpoints Authority will be conducting a comprehensive review of all electronic change of addresses done within the past six months through the “Others” module, which allows the change of address by a proxy, to ascertain the authenticity of the change of addresses.

11 Ms Hazel Poa asked the Minister for Home Affairs whether the procedure for a change of home address is being reviewed.

12 Mr Leong Mun Wai asked the Minister for Home Affairs whether the Government will consider implementing stricter rules or guidelines to regulate the photocopying of physical NRICs to reduce the likelihood of such information being misused.

The Minister of State for Home Affairs (Ms Sun Xueling) (for the Minister for Home Affairs): Mr Speaker, may I have your permission to address Question Nos 8 to 12 raised by Ms Joan Pereira, Mr Leong Mun Wai and Ms Hazel Poa in today's Order Paper, and Mr Mohd Fahmi bin Aliman’s question scheduled for a future Sitting.

Mr Speaker: Please go ahead.

Ms Sun Xueling: The Ministry of Digital Development and Information (MDDI) has related questions in this Sitting and will address Mr Fahmi’s question on Singpass in its reply.

First, let me explain the procedure for changing one’s registered address with the Immigration and Checkpoints Authority (ICA). The fraudulent changes of address had occurred through the “Others” module in ICA’s system for electronic change of address (eCOA). The “Others” module had been introduced for the benefit of non-digitally savvy residents, such as the elderly or disabled. It enables them to change their address online without having to make an in-person trip to ICA, by getting a proxy to help them. The proxy would log into the system using his or her own Singpass account and apply for a change of address for the individual by keying in the individual’s National Registration Identity Card (NRIC) number and date of issue of the NRIC. A physical personal identification number (PIN) mailer would then be sent to the individual at his new address. The proxy would log into the eCOA system a second time and with the PIN, complete the change of address for the individual.

In designing and building our digital services, we have to make practical trade-offs between absolute security and useability. In the case of the eCOA service, there were safeguards in place, including the need to authenticate the proxy via Singpass log-in, the use of NRIC number and date of issue of the NRIC of the person whose address was to be changed, and the use of a physical PIN mailer.

At that time, these were assessed to represent an acceptable balance between absolute security and useability. However, we now recognise that this service could be and was exploited by malicious actors. A key problem is that there was criminal action: people gave up their Singpass account to be misused. This criminal action, which was not anticipated, was the key reason why malicious actors were able to exploit the “Others” module in the eCOA service. They had first used Singpass accounts which had been relinquished, as proxies to initiate the change of address for another individual. Using the date of issue of NRIC as one of the three safeguards was reasonable, but proved not adequate, as malicious actors managed to get hold of the information.

ICA has since introduced an additional security feature which is face verification when individuals use their Singpass account to log into the “Myself” module of the eCOA service to change their own residential address. This module has been resumed since 14 January 2025. The “Others” module and the “Myself and my family” module will remain suspended until additional safeguards can be put in place.

The Government places high priority on the security of our digital services from illegal and malicious actors. This is both to maintain public confidence and to protect the public from harm. We constantly test and improve the security of our systems and will continue to do so.

Second, let me address questions about the impact of the unauthorised changes of addresses and what assistance has been provided to the victims. ICA has reviewed all eCOA applications made through the “Others” module since October 2020, when the eCOA service was launched. ICA has ascertained that unauthorised changes took place only in the recent months, from August 2024 onwards. ICA has found that the suspects tried to change the registered addresses of 99 individuals. They succeeded in changing the addresses of 71 of the individuals.

ICA and the Singapore Police Force (SPF) have been working with the Government Technology Agency of Singapore (GovTech) and other Government agencies to mitigate the impact on these affected individuals. ICA has reached out to all 99 individuals to verify and restore the correct addresses. ICA is also assisting them to replace their physical NRIC, which will have a new date of issue.

ICA is also working with other Government agencies to comprehensively assess the impact of the fraudulent change of address for the 71 individuals, in particular those whose address registered in ICA’s system had been used by other agencies to administer their schemes since the fraud began. These checks are ongoing. Agencies will provide the appropriate assistance and restoration if there has been any adverse impact on the calculation or disbursement of Government benefits, including Community Development Council (CDC) Vouchers, to these individuals.

Of the 71 individuals whose addresses were successfully changed, the suspects went on to take over the Singpass accounts of 16 of the individuals. They did so by performing a password reset for the Singpass account and requesting for a physical PIN mailer to be sent to the newly registered address.

Out of an abundance of caution, GovTech has suspended the Singpass accounts of all 99 affected individuals to prevent unauthorised activity, and has been in contact with them to reset and secure their Singpass accounts. SPF is also coordinating with Government agencies and private entities to stop or reverse any fraudulent activity originating from the 16 compromised Singpass accounts. If there have been monetary losses arising from the compromised Singpass accounts, Police will work with agencies and financial institutions to remediate the losses wherever possible.

Third, Ms Joan Pereira asked what punishment would be meted out. Thirteen suspects have been arrested by the Police and investigations are ongoing. Four men have already been charged in court for offences under the Computer Misuse Act 1993. These offences carry penalties of imprisonment of up to three years, a fine of up to $10,000, or both, for first-time offenders. Details of the arrests and the offences for which the suspects have been charged are contained in SPF’s news releases. SPF will be making known other details in due course as its investigations progress further.

Finally, regarding the photocopying of NRICs, under the Personal Data Protection Commission’s Advisory Guidelines, organisations are generally not allowed to collect, use or disclose copies of NRIC, as they contain personal data. Exceptions apply only where required under the law, or when it is necessary to accurately identify an individual. Organisations that fail to comply with these Guidelines may be in breach of their obligations under the Personal Data Protection Act.

Mr Speaker: Ms Joan Pereira.

Ms Joan Pereira (Tanjong Pagar): Thank you, Speaker. I have one supplementary question for the Minister of State. I would like to ask why ICA suspended the eCOA's service only on 11 January 2025. Could ICA not have acted sooner?

Ms Sun Xueling: I thank the Member for her supplementary question. ICA had started investigating cases of unauthorised changes of address in September 2024. Initially, the cases appeared unconnected. Time was needed to investigate and triangulate information from various reports made.

By December 2024, ICA had uncovered how the unauthorised changes of addresses were effected and what they were used for. In parallel, ICA was also reviewing the technical aspects of improving the security of the eCOA system.

Following an internal assessment, ICA decided to suspend the eCOA service and did so on 11 January 2025. In hindsight, ICA could have taken steps to cease the service earlier in December 2024 when the modus operandi was established. But these are judgement calls that public officers have to make every day. The Ministry of Home Affairs (MHA) is reviewing with ICA what lessons we can draw from this incident.

Mr Speaker: Ms Hazel Poa.

Ms Hazel Poa (Non-Constituency Member): I thank the Minister of State for her answers. Upon a change of address, does the Ministry currently send letters to both the new and old addresses in order to verify that the change is genuine? And secondly, would the Ministry consider reinstating the venue of changing residential address to be at Neighbourhood Police Posts (NPPs)?

Ms Sun Xueling: I thank the Member for her supplementary questions. Currently, the mailers are sent to the new address but, like I had shared in my response earlier, ICA is reviewing how this service is conducted and has instituted the use of facial verification under the "Myself" module. So, for the other modules, like "Myself and family members" as well as "Others", ICA is still reviewing what would be the best way forward in order to safeguard our electronic services.

I am sorry. Could I ask about the second question again, please?

Ms Hazel Poa: Updating addresses at NPPs.

Ms Sun Xueling: I thank the Member for that question. There have been instances in the past where there have been questions raised in this House about manpower issues that the SPF faces. So, many of our NPPs have gone towards a "man-less" operation model. But what will happen is, if there are individuals who walk into our NPPs and ask for help to change their address, they will be guided to ICA for them to change their addresses at ICA.

2.00 pm

Mr Speaker: Order. End of Question Time. The Clerk will now read the Orders of the Day and the Notices of Motions. Leader of the House.

[Pursuant to Standing Order No 22(3), provided that Members had not asked for questions standing in their names to be postponed to a later Sitting day or withdrawn, written answers to questions not reached by the end of Question Time are reproduced in the Appendix.]