Oral Replies to Parliamentary Questions

Impact and Follow-up Actions Following the Unauthorised Address Changes Made on ICA’s eCOA Service

Published: 04 February 2025

Questions:

Ms Joan Pereira: To ask the Minister for Home Affairs (a) what assistance has been provided to the victims of the unauthorised home address changes performed on the ICA website; and (b) what punishment will be meted out to the perpetrators who did the changes. 

Mr Leong Mun Wai: To ask the Minister for Home Affairs whether the recent cases of unauthorised change of address using ICA's e-service have affected other Government services such as the distribution of CDC vouchers and the calculation of Government benefits payable to the affected individuals.
 
Mr Leong Mun Wai: To ask the Minister for Home Affairs whether the Immigration and Checkpoints Authority will be conducting a comprehensive review of all electronic change of addresses done within the past six months through the “Others” module, which allows the change of address by a proxy, to ascertain the authenticity of the change of addresses.

Mr Leong Mun Wai: To ask the Minister for Home Affairs whether the Government will consider implementing stricter rules or guidelines to regulate the photocopying of physical NRICs to reduce the likelihood of such information being misused.

Ms Hazel Poa: To ask the Minister for Home Affairs whether the procedure for a change of home address is being reviewed.

Mr Mohd Fahmi Bin Aliman: To ask the Minister for Home Affairs (a) how many cases of unauthorised changes to residential addresses have been reported last year; (b) what specific measures were in place at that time to prevent such incidents; (c) whether an update can be provided on the investigations into the unauthorised attempts to change residential addresses; (d) whether arrests or prosecutions have been made in connection with the cybercrime activities; and (e) what additional security measures are being considered to ensure SingPass accounts cannot be misused for fraudulent activities.


Answer:

Ms Sun Xueling, Minister of State, Ministry of Home Affairs and Ministry of Social and Family Development: 

1. Mr Speaker, may I have your permission to address questions 8 to 12, raised by Ms Joan Pereira, Mr Leong Mun Wai and Ms Hazel Poa in today’s Order Paper, and Mr Mohd Fahmi bin Aliman’s question scheduled for a future sitting?

2. MDDI has related questions in this sitting and will address Mr Fahmi’s question on Singpass in its reply.

3. First, let me explain the procedure for changing one’s registered address with ICA. The fraudulent changes of address had occurred through the “Others” module in ICA’s system for electronic change of address (eCOA). The “Others” module had been introduced for the benefit of non-digitally savvy residents, such as the elderly or disabled. It enables them to change their address online, without having to make an in-person trip to ICA, by getting a proxy to help them. The proxy would log into the system using his or her own Singpass account and apply for a change of address for the individual, by keying in the individual’s NRIC (National Registration Identity Card) number and date of issue of the NRIC. A physical PIN mailer would then be sent to the individual at his new address. The proxy would log into the electronic change of address system a second time, and with the PIN, complete the change of address for the individual. 

4. In designing and building our digital services, we have to make practical trade-offs between absolute security and useability. In the case of the electronic change of address service, there were safeguards in place, including the need to authenticate the proxy via Singpass log-in, the use of NRIC number and date of issue of the NRIC of the person whose address was to be changed, and the use of a physical PIN mailer. At that time, these were assessed to represent an acceptable balance between absolute security and useability. However, we now recognise that this service could be and was exploited by malicious actors. A key problem is that there was criminal action: people gave up their Singpass account to be misused. This criminal action, which was not anticipated, was the key reason why malicious actors were able to exploit the “Others” module in the electronic change of address service. They had first used Singpass accounts which had been relinquished, as proxies to initiate the change of address for another individual. Using the date of issue of NRIC as one of the three safeguards was reasonable, but proved not adequate, as malicious actors managed to get hold of the information.

5. The ICA has since introduced an additional security feature, which is face verification, when individuals use their Singpass account to log into the “Myself” module of the electronic change of address service to change their own residential address. This module has been resumed since 14 January 2025. The “Others” module and the “Myself and my family” module will remain suspended until additional safeguards can be put in place. 

6. The Government places high priority on the security of our digital services from illegal and malicious actors. This is both to maintain public confidence and to protect the public from harm. We constantly test and improve the security of our systems and will continue to do so.

7. Second, let me address questions about the impact of the unauthorised changes of addresses and what assistance has been provided to the victims. The ICA has reviewed all electronic change of address applications made through the “Others” module since October 2020, when the electronic change of address service was launched. The ICA has ascertained that unauthorised changes took place only in the recent months, from August 2024 onwards. The ICA has found that the suspects tried to change the registered addresses of 99 individuals. They succeeded in changing the addresses of 71 of the individuals.

8. ICA and SPF have been working with GovTech and other Government agencies to mitigate the impact on these affected individuals. ICA has reached out to all 99 individuals to verify and restore the correct addresses. ICA is also assisting them to replace their physical NRIC, which will have a new date of issue. 

9. ICA is also working with other Government agencies to comprehensively assess the impact of the fraudulent change of address for the 71 individuals, in particular those whose address registered in ICA’s system had been used by other agencies to administer their schemes since the fraud began. These checks are ongoing. Agencies will provide the appropriate assistance and restoration if there had been any adverse impact on the calculation or disbursement of Government benefits, including CDC vouchers, to these individuals.

10. Of the 71 individuals whose addresses were successfully changed, the suspects went on to take over the Singpass accounts of 16 of the individuals. They did so by performing a password reset for the Singpass account and requesting for a physical PIN mailer to be sent to the newly registered address. 

11. Out of an abundance of caution, GovTech has suspended the Singpass accounts of all 99 affected individuals to prevent unauthorised activity and has been in contact with them to reset and secure their Singpass accounts. SPF is also coordinating with Government agencies and private entities to stop or reverse any fraudulent activity originating from the 16 compromised Singpass accounts. If there have been monetary losses arising from the compromised Singpass accounts, Police will work with agencies and financial institutions to remediate the losses wherever possible.

12. Third, Ms Joan Pereira asked what punishment would be meted out. 13 suspects have been arrested by the Police, and investigations are ongoing. Four men have already been charged in court for offences under the Computer Misuse Act 1993. These offences carry penalties of imprisonment of up to three years, a fine of up to $10,000, or both, for first time offenders. Details of the arrests and the offences for which the suspects have been charged are contained in SPF’s news releases. The SPF will be making known other details in due course as its investigations progress further. 

13. Finally, regarding the photocopying of NRICs, under the Personal Data Protection Commission’s Advisory Guidelines, organisations are generally not allowed to collect, use or disclose copies of NRIC, as they contain personal data. Exceptions apply only when required under the law, or when it is necessary to accurately identify an individual. Organisations that fail to comply with these Guidelines may be in breach of their obligations under the Personal Data Protection Act.