Data Breach: Concerns as NIMC response fails to ease Nigerians’ fear

By Quadri Adejumo

During the past weeks, digital rights organisation Paradigm Initiative revealed the existence of a nefarious website, anyverify.com.ng, which was selling sensitive data of Nigerians.

The website provided access to personal information, including National Identity Numbers (NIN), Bank Verification Numbers (BVN), virtual NINs, driving licenses, international passports, company details, Tax Identification Numbers (TIN), Permanent Voter’s Cards (PVC), and phone numbers.

Paradigm Initiative’s investigation detailed how AnyVerify offered this private information for a token amount, N100.

READ ALSO: New Ungogo branch NBA Chair, Gwadabe unveils agenda 

To prove their point, the organization purchased the NIN slips of Nigeria’s Minister of Communication and Digital Economy, Dr. Bosun Tijani, and the National Commissioner of the Nigerian Data Protection Commission (NDPC), Dr. Vincent Olatunji, for just 100 naira each.

In reaction, the National Identity Management Commission (NIMC), responsible for Nigeria’s national database, denied any breach. Instead, NIMC attributed the issue to the carelessness of Nigerians who upload their personal data to unauthorized websites.

“NIMC advises Nigerians to avoid giving their data to unauthorized and phishing sites. This poses the danger of data harvesting,” NIMC stated in a statement by Kayode Adegoke, Head of Corporate Communications at NIMC. “NIMC urges the public to disregard any claims or services these websites offer and should not give their data as they are potentially fraudulent, and data provided by the public on such websites are gathered and stored to build the data services they illegally provide.”

NIMC’s response did not sit well with millions of Nigerians, who were left questioning the safety of their personal information.

Many saw the commission’s statement as an attempt to deflect responsibility rather than address the serious breach of trust.

Public outcry

This response did not convey enough conviction to many Nigerians. Ibrahim Jide, an ICT teacher, spoke of the irrelevance in the response. 

“The relevant information that Nigerians needed was missing from their response. They did not provide any specifics about the nature of the breach or the measures that were taken to stop future incidents.”

Adebayo Maruf, a business owner, also voiced his disappointment and frustration.

“When it came to our most private information, we trusted NIMC. Now, we no longer have security assurances over our own personal data. How are we sure our information won’t be misused? How sure are we that our data won’t be stolen?”

Similarly, Aisha, a Lagos State University student, echoed said she is concerned about her privacy.

READ ALSO: Euro 2024: Netherlands beat Turkey 2-1, battle England in semi-finals 

“If the data of government officials can be made available to the public, then we are never safe. Especially as students. Our little finances may be stolen from our bank accounts. Our situation is getting worse because of this nation.”

Experts

Cybersecurity experts weighed in on the issue, highlighting NIMC’s inadequate response. 

Chima Chinedu, a cybersecurity expert, emphasised the necessity of transparency. 

“NIMC must provide a comprehensive account of what occurred, how it occurred, and which data were impacted. They cannot regain public trust without this transparency.”

Additionally, he demanded that Nigeria’s data protection regulations be revised. 

“This incident demonstrates how urgently stronger data protection laws and mechanisms are required. The highest security standards must be adhered to by institutions handling sensitive information, and the government must ensure this.”

An independent investigation was also requested by IT expert Karim Babatunde. 

“We have a responsibility to determine the full scope of the breach and hold those accountable accountable.

“In addition to enhancing their security infrastructure, NIMC must take concrete steps to effectively communicate these changes to the public.”

AnyVerify claims to help businesses verify their customers. Users are required to submit their email addresses and NINs. After registration, users are presented with a wallet to fund with at least ₦400 before using the website.

Launched in November 2023, AnyVerify was visited 567,990 times and 188,360 in February and April 2024 respectively, according to Paradigm Initiative. It has since gone offline, although Paradigm Initiative says it archived all the information on the website.

Past breaches

In the past year, Nigeria has grappled with the issue of data security and data breaches.

Earlier in the year, Vincent Olatunji, the National Commissioner of the Nigerian Data Protection Commission (NDPC), confirmed that the commission was investigating 17 major cases of data breaches and violations in the country.

Presently, Nigeria ranks fifth in a global report on sources of cybercrime activities, coming behind Russia, Ukraine, China, and the United States.

In a Guardian report, a technology security firm, Nitroswitch, noted that over 4,000 cyberattacks were recorded daily in the country.

A study by cybersecurity firm Surfshark also reported a 64 percent increase in information breaches in Nigeria, highlighting a surge in incidents during the first quarter of 2023.

The analysis ranked Nigeria as the 32nd most breached country worldwide from January to March 2023, underscoring the region’s urgent need for enhanced cybersecurity measures.

The report added that in Q1 2023 alone, 82,000 accounts were compromised in Nigeria, representing a significant 46 percent increase compared to the previous quarter.

Calls for overhaul

This has prompted calls from experts for a stronger and comprehensive overhaul of the country’s data protection policies. “The increasing frequency and severity of these breaches have exposed significant vulnerabilities, putting millions of Nigerians at risk,” Mariam Bakare, a legal expert told our reporter.

“This incident underscores the urgent need for stronger data protection laws and enforcement mechanisms. The government must ensure that institutions handling sensitive information adhere to the highest security standards.”

The 1999 Constitution (as amended) recognizes privacy as a fundamental human right, ensuring the protection of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.

This foundational principle led to the enactment of the Nigerian Data Protection Act (NDPA) 2023 and the establishment of the Nigeria Data Protection Commission. The commission is tasked with regulating the implementation of technological and organizational measures to facilitate data protection.

Mariam believes the government should enact stronger information protection laws for incidents like these. 

“We need a comprehensive data protection law that aligns with global best practices and can effectively enforce compliance. Cybercrime is a global issue. By partnering with other nations and sharing intelligence, Nigeria can strengthen its defenses and stay ahead of emerging threats.”