PIN reports major privacy breaches in Nigeria, exposing sensitive data and triggering urgent investigations

Paradigm Initiative (PIN) has raised alarms over significant privacy breaches in Nigeria, revealing that several unauthorized websites are claiming to hold and provide access to sensitive personal and financial data of Nigerian citizens for as little as 100 Naira. Authorities are currently investigating the issue, with senior officials from the Nigeria Data Protection Commission (NDPC) confirming a probe into the extent of the breach and the actors involved.

RELATED: Nigerian organisations record alarming levels of data breach for Q1 2023

According to PIN, an NGO dedicated to creating digital opportunities across Africa, this alarming development constitutes a major violation of fundamental privacy rights, data privacy laws, and poses significant risks to individuals and the national economy.

The first quarter of 2023 saw an increase in data breaches among Nigerian organizations, as highlighted in a privacy report by IT Edge News. Over 200 organizations, spanning financial institutions including major banks, ICT and telecom firms, and publicly owned entities, reported severe data breaches during this period. This information is corroborated by claims from Data Protection Compliance Organisations (DPCOs) and industry insights, along with investigative reports from the privacy Ombudsman.

Additionally, a data security report by the Website Planet research team uncovered a breach affecting the Plateau State Contributory Health Care Management Agency (PLASCHEMA), which exposed the identity documents of over 37,000 individuals.

ADVERTISEMENT

PIN has called for immediate intervention from all stakeholders to address the escalating privacy breaches in Nigeria.

Read the full report below.

Major Data Breach: Sensitive Government Data of Nigerian Citizens Available Online for Just 100 Naira

In a shocking revelation, Paradigm Initiative has found out that several unauthorised websites are claiming to hold and provide access to sensitive personal and financial data of Nigerian citizens for as little as 100 Naira. This alarming development presents a major breach of the fundamental rights to privacy, a breach of data privacy rights and poses significant risks to individuals and the national economy.

ADVERTISEMENT

On the 16th of March, 2024, an online media outlet, Fij.ng, published a story on its platform, with the headline, “ALERT: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and Is Making Money From It.” In that publication, the media outlet presented an investigative story of a website with the web address, www.XpressVerify.com.ng, that had access to the personal data of Nigerian citizens and commercialised the data for personal gain. Even though the website was quickly taken down, Paradigm Initiative is currently seeking legal redress on behalf of Nigerian citizens. 

Following the XpressVerify incident, further research was undertaken and it was discovered that another actor tagged AnyVerify.com.ng has been operating in the digital space of Nigeria since November 2023.

From our research, AnyVerify.com.ng is a website involved in the commercial distribution of personal and private data of Nigerians. On its webpage, a drop-down displaying the myriads of data services which the website renders can be observed. These include personal data such as the National Identity Number (NIN), the Bank Verification Number (BVN), a virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers. All these are sold by this website to any interested party for the sum of N100.00 (One Hundred Naira Only) for each data request. This website was visited five hundred and sixty-seven thousand, nine hundred and ninety (567,990) times in February 2024 and one hundred and eighty-eight thousand, three hundred and sixty (188,360) times in April 2024. 

ADVERTISEMENT

Due to the severe implication for millions of Nigerians, we have through our legal partners, Vindich Legal, served a pre-action notice to the following Government Agencies: National Identity Management Commission (NIMC), Nigeria Data Protection Commission (NDPC), Nigeria Immigration Service (NIS), Federal Inland Revenue Service (FIRS), Central Bank of Nigeria (CBN), Independent National Electoral Commission (INEC), Federal Road Safety Corps (FRSC) and the office of the Attorney General of the Federation (AGF).

Key Concerns:

1. Privacy Violation: The unauthorised access to personal data is a blatant infringement on the privacy of Nigerian citizens. The dissemination of such information could lead to identity theft, financial fraud, and other malicious activities, including data owners being targeted by burglars, kidnappers or terrorists who buy data that includes home addresses.
2. Economic Impact: The availability of sensitive financial data online can undermine the stability of Nigeria’s banking system. Fraudulent transactions and identity theft can erode public trust in financial institutions, potentially leading to a financial crisis. This is exacerbated by recent findings of huge losses suffered by financial institutions in Nigeria due to digital manipulation.
3. National Security: The breach of driver’s licence information and other personal data can compromise national security. Such information can be exploited by criminal elements for unlawful activities, posing a threat to the safety and security of the nation.
4. Legal and Ethical Implications: The existence of these websites highlights significant gaps in data protection and cybersecurity measures within the country. It underscores the urgent need for robust data protection laws and stringent enforcement mechanisms to safeguard citizens’ data.

Government Response:

The Nigerian government is urged to take immediate and decisive action to address this critical issue. This includes:

• Conducting a thorough investigation to identify these illegal online activities.
• Enhancing cybersecurity measures to prevent further data breaches.
• Implementing Nigeria’s Data Protection Act, strengthening the Nigeria Data Protection Commission (NDPC), and guaranteeing the independence of the NDPC, to ensure the privacy and security of citizens’ information.
• Raising public awareness about the risks associated with data breaches and providing guidance on how individuals can protect themselves.

Court Reliefs Sought:

• A Declaration that the act of unauthorised access to the data of Nigerian citizens by AnyVerify.com.ng and commercialization of the same violates the provision of Section 37 of the Constitution Of The Federal Republic Of Nigeria 1999 (CFRN). 

• A Declaration that by virtue of Section 30 And Section 39 Of The Nigeria Data Protection Act (NDPA) 2023, all involved agencies of government have a duty to implement appropriate technical and organisational measures to ensure the security and integrity of citizens’ sensitive personal data. 

• An Order of court mandating a full investigation and publication of the investigative report regarding the personal data breach occasioned by the data leak to AnyVerify.com.ng and its customers by the National Identity Management Commission (NIMC).

• An Order of the court directing all involved agencies of government to release official information to the public regarding the activities of their agents and sub-licensees. 

• An Order of court directing the involved agencies of government to provide restitution in form of compensation to data subjects who have been affected by the data leak. 

Call to Action:

We call upon all stakeholders, including government agencies, financial institutions, the private sector, media institutions, researchers, and civil society organisations, to collaborate in addressing this data privacy crisis. Protecting the personal information of Nigerian citizens is of paramount importance, and collective efforts are needed to restore trust and ensure the security of our nation’s data infrastructure. Nigerians have made a lot of sacrifices and trusted the government with their personal data in exchange for a social contract that includes security, so it would be ironic to leave all of that data in the hands of bad actors such as kidnappers, burglars and terrorists.