Major Data Breach: Sensitive Govt Data of Nigerian Citizens Available Online for Just 100 Naira

Lagos, Nigeria//-In a shocking revelation, Paradigm Initiative has found out that several unauthorised websites are claiming to hold and provide access to sensitive personal and financial data of Nigerian citizens for as little as 100 Naira.

This alarming development presents a major breach of fundamental privacy rights, a breach of data privacy rights and poses significant risks to individuals and the national economy.

On the 16th of March, 2024, an online media outlet, Fij. ng, published a story on its platform, with the headline, “ALERT: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and Is Making Money From It.”

In that publication, the media outlet presented an investigative story of a website with the web address, www.XpressVerify.com.ng, that had access to the personal data of Nigerian citizens and commercialised the data for personal gain. Even though the website was quickly taken down, Paradigm Initiative is currently seeking legal redress on behalf of Nigerian citizens.

Following the XpressVerify incident, further research was undertaken and it was discovered that another actor tagged AnyVerify.com.ng has been operating in the digital space of Nigeria since November 2023.

From our research, AnyVerify.com.ng is a website involved in the commercial distribution of personal and private data of Nigerians. On its webpage, a drop-down displaying the myriads of data services which the website renders can be observed.

These include personal data such as the National Identity Number (NIN), Bank Verification Number (BVN), virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers. All these are sold by this website to any interested party for the sum of N100.00 (One Hundred Naira Only) for each data request.

This website was visited five hundred and sixty-seven thousand, nine hundred and ninety (567,990) times in February 2024 and one hundred and eighty-eight thousand, three hundred and sixty (188,360) times in April 2024.

Due to the severe implication for millions of Nigerians, we have through our legal partners, Vindich Legal, served a pre-action notice to the following Government Agencies: National Identity Management Commission (NIMC), Nigeria Data Protection Commission (NDPC), Nigeria Immigration Service (NIS), Federal Inland Revenue Service (FIRS), Central Bank of Nigeria (CBN), Independent National Electoral Commission (INEC), Federal Road Safety Corps (FRSC) and the office of the Attorney General of the Federation (AGF).

Key Concerns
Privacy Violation:  The unauthorised access to personal data is a blatant infringement on the privacy of Nigerian citizens. The dissemination of such information could lead to identity theft, financial fraud, and other malicious activities, including data owners being targeted by burglars, kidnappers or terrorists who buy data that includes home addresses.

Economic Impact: The availability of sensitive financial data online can undermine the stability of Nigeria’s banking system. Fraudulent transactions and identity theft can erode public trust in financial institutions, potentially leading to a financial crisis. This is exacerbated by recent findings of huge losses suffered by financial institutions in Nigeria due to digital manipulation.

National Security: The breach of driver’s licence information and other personal data can compromise national security. Such information can be exploited by criminal elements for unlawful activities, posing a threat to the safety and security of the nation.

Legal and Ethical Implications: The existence of these websites highlights significant gaps in data protection and cybersecurity measures within the country. It underscores the urgent need for robust data protection laws and stringent enforcement mechanisms to safeguard citizens’ data.

Government Response:
The Nigerian government is urged to take immediate and decisive action to address this critical issue. This includes:

Court Reliefs Sought:
A Declaration that the act of unauthorised access to the data of Nigerian citizens by AnyVerify.com.ng and commercialization of the same violates the provision of Section 37 of the Constitution Of The Federal Republic Of Nigeria 1999 (CFRN).

A Declaration that by Section 30 And Section 39 Of The Nigeria Data Protection Act (NDPA) 2023, all involved agencies of government must implement appropriate technical and organisational measures to ensure the security and integrity of citizens’ sensitive personal data.

An Order of court mandating a full investigation and publication of the investigative report regarding the personal data breach occasioned by the data leak to AnyVerify.com.ng and its customers by the National Identity Management Commission (NIMC).

An Order of the court directing all involved agencies of government to release official information to the public regarding the activities of their agents and sub-licensees.
An Order of court directing the involved agencies of government to provide restitution in the form of compensation to data subjects who have been affected by the data leak.

Call to Action:
We call upon all stakeholders, including government agencies, financial institutions, the private sector, media institutions, researchers, and civil society organisations, to collaborate in addressing this data privacy crisis.

Protecting the personal information of Nigerian citizens is of paramount importance, and collective efforts are needed to restore trust and ensure the security of our nation’s data infrastructure. Nigerians have made a lot of sacrifices and trusted the government with their data in exchange for a social contract that includes security, so it would be ironic to leave all of that data in the hands of bad actors such as kidnappers, burglars and terrorists.