Paradigm Initiative (PIN), a non-governmental organisation (NGO), today demanded urgent action from the National Identity Management Commission (NIMC) following an expose of alleged breach of its National Identification Numbers (NIN) database containing personal records of Nigerians.
PIN said that it has filed a Freedom of Information request to NIMC, the nation’s national ID manager, calling for a thorough investigation to uncover those involved in the deal that caused the alleged data breach through a private website called XpressVerify.
NIMC: Inside the alleged breach of NIN database
An investigation earlier by Foundation for Investigative Journalism (FIJ), a Nigerian publication focused on investigative journalism, revealed that XpressVerify.com, a website with no apparent affiliation with NIMC, was offering access to personal details linked to NINs for a fee as low as ₦200. This information reportedly included phone numbers, full names, addresses, and even photographs of Nigerians registered on the national ID database.
“The website does not confirm what type of person can check what type of information. There were no restrictions to the number of NIN-related data that could be fetched when FIJ checked,” the report revealed.
The report further alleged that anyone could use the website to retrieve this data, raising serious concerns about the security of the National Identity Database (NIDB) managed by NIMC. Section 14 of the NIMC Act 2007 mandates NIMC to be the sole entity responsible for creating, managing, maintaining, and operating the NIDB.
Paradigm Initiative’s demands from NIMC
PIN, in a press release issued today in Abuja and made available to Technology Times underscored the severity of the alleged breach, highlighting violations of both the National Data Protection Act (NDPA) and Nigerians’ constitutional right to privacy.
The NGO said it has sent a Freedom of Information request to NIMC demanding a swift response that includes: a comprehensive investigation by both NIMC and the Nigerian Data Protection Commission (NDPC) to identify and hold accountable all parties involved in the data breach.
Paradigm Initiative further said that, ”Every Nigerian has the right to trust that their personal information is secure and protected. We further demand NIMC outlines steps to rectify this breach and prevent future occurrences.”
According to the NGO, “we urge Nigeria Data Protection Commission (NDPC) to act decisively in upholding the principles of data protection and safeguarding citizens’ privacy rights as enshrined in the NDPA and the constitution.”
PIN’s call to action comes amid growing concerns about data privacy in Nigeria.
Why NIMC must protect NIN data
The National Identification Number (NIN) is a critical piece of identity infrastructure in Nigeria. The 11 digit number NIN serves multiple purposes, including; verification and identification. NINs are used for identity verification purposes across various sectors, including banking, telecommunications, and voter registration.
According to NIMC data, as of December 2023, over 104.16 million Nigerians have enrolled for their NINs, numbers that underscored the widespread adoption of the unique identifier and the potential impact of the alleged data breach.
According to analysts, the alleged unauthorised access to NIN data, if confirmed, would be a major setback for the government’s efforts to establish a secure and trustworthy NIN system. It could lead to identity theft and financial loss beyond comprehension.
In the wake of the expose, the Nigeria Data Protection Commission has launched a full-scale investigation into the alleged unauthorised access to the NIDB. They are looking into how XpressVerify might have accessed data and if any laws were broken.
Dr Vincent Olatunji, the National Commissioner, NDPC, said that “we note that NIMC has initiated internal investigation and it has immediately given full assurances of cooperation with NDPC to get to the root of the allegation and to review existing mediums through which any entity may lawfully verify the identity of enrollees on its platform.
Furthermore, NDPC will work with relevant agencies to audit the trails of the alleged unauthorised data processing and monetization of same, and those who are found culpable for violating the Nigeria Data Protection Act, 2023 will be brought to justice.”
NIMC has denied a direct breach of their core database as the ID agency claimed that XpressVerify is not a licensed partner. The ID agency which also said that it is investigating the situation has also said that it will cooperate with the NDPC’s investigation.
According to Kayode Adegoke, the Head of Corporate Communications, NIMC, “The Commission wishes to state that it offers NIN verification and other services through licensed partners. However, XpressVerify is not one of the Commission’s licensed partners.”
The statement earlier further said that “The Director General and Chief Executive Officer of NIMC, Engr. Abisoye Coker-Odusote has promptly ordered a comprehensive investigation into the matter to find out if any of the Commission’s Tokenisation verification agents has in any way breached the licensing agreement either directly or through any of their sub-licensees.”