This year alone, Nigeria’s digital ID authority, the National Identity Management Commission (NIMC), has faced significant challenges, having experienced at least two major data breaches linked to its partner agents. In March 2024, a debacle with XpressVerify exposed sensitive data, and just last Thursday, a similar incident occurred with Anyverify.com.ng. These breaches highlight a troubling trend in the mishandling of personal information.
Editor’s Choice
The crux of the issue lies in unlicensed “data service” providers who have been selling the personal information of millions of Nigerians. Shockingly, this data, purchased from licensed agents, was being sold for as little as ₦190 ($0.12). The availability of such sensitive information at a negligible cost has put the safety and privacy of countless Nigerians at severe risk.
Report has it that an unnamed ethical hacker speculated that either the NIMC was performing poorly at data protection, possibly due to the use of insecure cloud storage solutions, or that there was insider complicity allowing unauthorized access to the data. The hacker’s theory gains traction considering the ongoing vulnerabilities.
Earlier in February, NIMC reinstated the NIN verification service after a suspension prompted by the World Bank’s concerns over data breaches. Despite assurances that the system was now secure, licensed partners allegedly continued to exploit the system, making API calls to access and sell Nigerians’ data to sub-agents, all without the NIMC’s knowledge.
Also Read Below
Following the latest breach involving Anyverify.com.ng, NIMC issued a public statement vehemently denying the allegations and assuring Nigerians that no sensitive data had been compromised. The statement read, “The Commission has not authorized any website or entity to sell or misuse the National Identity Number (NIN) among all the identities stated in the report.” This response was a direct reference to the report by Paradigm HQ that first broke the news of the data breach.
The situation worsens as the NIMC’s statement also highlighted four additional websites—idfinder.com.ng, verify.ng/sign-in, championtech.com.ng, and trustyonline.com—identified as illegal data harvesting operations. These websites have since shut down to cover their tracks, but the damage to public trust remains.
The incidents raise pressing questions about the NIMC’s decision to recommission the NIN Verification Service (NVS) and the protocols allowing licensed agents to access and potentially misuse this data. The restoration of the service, intended to streamline identity verification, now seems to have inadvertently enabled unauthorized data access.
Experts and concerned citizens are calling for stricter oversight and more robust data protection measures from the NIMC. The agency needs to implement stringent security protocols and conduct thorough audits of its partners to prevent future breaches. Additionally, there is a growing demand for transparency from the NIMC regarding the steps being taken to safeguard personal data.
In conclusion, the exposure of these five websites as illegal data sellers is a stark reminder of the vulnerabilities within Nigeria’s digital identity infrastructure. As the NIMC works to restore public confidence, it must prioritize the security and privacy of the millions of Nigerians who rely on its services.