By 
Nigerian fintech company BestFin Nigeria has exposed the personal data of 846,000 customers and their emergency contacts in a major data leak, according to recent research by Cybernews. The breach revealed sensitive customer information and raised concerns about unethical practices among digital lenders in the country.
RELATED: Nigeria investigates GTBank, Zenith Bank over data breach complaints
The leak, uncovered on July 2, 2024, involved an unsecured MongoDB database operated by BestFin Nigeria, which runs the iCredit app. The exposed database not only contained sensitive personal details but also showed signs of a ransomware attack, with the attackers demanding 0.01 bitcoin (approximately $640) to restore access.
Sensitive Data Exposed
According to Cybernews, the compromised database held the following information:
- Personal details: names, gender, phone numbers, email addresses, home addresses, date of birth, salary range, and marital status.
- Emergency contacts and users’ saved contacts.
- Lists of apps installed on users’ devices.
- Device identifiers like IMEI numbers, models, and IP addresses.
- Complete SMS histories, including OTP codes and private messages.
- Bank Verification Numbers (BVN) validation logs, a biometric identification system regulated by Nigeria’s Central Bank.
The data leak has heightened concerns about the privacy practices of digital lending platforms like BestFin. Researchers warned that the exposed data could allow attackers to steal victims’ identities, access online accounts, and even manipulate personal information for fraudulent purposes.
Violations of Data Privacy Regulations
The data leak revealed that BestFin’s loan recovery and screening methods may violate Nigeria’s privacy regulations, which prohibit accessing users’ contact lists and private communications. This breach highlights ongoing privacy abuses in the country’s financial sector, where lenders reportedly extract excessive data from customers.
Cybernews researchers emphasized that BestFin’s practices, such as harvesting users’ private messaging histories, not only violate privacy rules but also put individuals at significant risk of fraud and identity theft.
Government Crackdown and Regulatory Challenges
Nigeria’s Data Protection Commission (NDPC) is currently investigating privacy violations by digital lenders, including major financial institutions like GTBank and Fidelity Bank. Privacy breaches have become widespread despite regulatory crackdowns. The Nigerian government has pledged to introduce stricter data privacy legislation by the end of 2024.
Officials have noted a surge in abusive practices among loan apps. Many customers have reported harassment, threats, and “name and shame” tactics from lenders seeking repayment. The exposed messages in the BestFin leak confirmed such unethical behavior, further damaging the reputation of digital lenders in Nigeria.
Growing Risks for iCredit Users
Although BestFin Nigeria has yet to respond to Cybernews’ findings, the breach serves as a cautionary tale for iCredit users. Cybercriminals now have access to sensitive user data, increasing the risk of phishing scams, identity theft, and unauthorized access to financial accounts.
While the database was eventually secured by August 26, 2024, the incident has left a lasting impact. Cybernews researchers advised affected users to stay vigilant, closely monitor their accounts, and report suspicious activity.
This data breach underscores the dangers of digital lending apps collecting excessive user information. The practice opens the door to financial exploitation and cybercrime. Users are encouraged to exercise caution and prioritize data privacy when using such services.
Read the full Cybernews research here.
Credit: Cybernews
