The NRIC-as-password problem is a classic confusion between identifiers and authenticators, and it persisted this long because organisations conflated "something the person knows" with "something only the person knows." NRIC numbers are quasi-public identifiers by design, not secrets, and any IAM architecture built on them as an authentication factor was broken at the conceptual level before any breach occurred. The Bizfile incident in December 2024 did not create the vulnerability; it just made the underlying design flaw impossible to ignore.
The NRIC-as-password problem is a classic confusion between identifiers and authenticators, and it persisted this long because organisations conflated "something the person knows" with "something only the person knows." NRIC numbers are quasi-public identifiers by design, not secrets, and any IAM architecture built on them as an authentication factor was broken at the conceptual level before any breach occurred. The Bizfile incident in December 2024 did not create the vulnerability; it just made the underlying design flaw impossible to ignore.