The rising tide of data leakage in Nigeria: A cybersecurity crisis in the making

Nigeria, Africa’s most populous nation and a burgeoning hub for digital innovation, is grappling with a growing cybersecurity crisis: data leakage.

As the country races toward digital transformation—evidenced by widespread mobile penetration, a thriving fintech ecosystem, and ambitious government digitization initiatives—the specter of compromised personal and financial data looms large. From the unauthorized sale of National Identification Numbers (NINs) to breaches affecting millions of citizens, Nigeria’s data protection landscape is under siege. As a cybersecurity analyst, I see this as not just a technical problem but a systemic challenge that demands urgent attention from individuals, organizations, and policymakers alike.

The Scope of the Problem

Data leakage, where sensitive information is exposed or stolen due to inadequate security measures, has become alarmingly common in Nigeria. In recent years, high-profile incidents have underscored the scale of the issue. For instance, a 2024 investigation revealed that sensitive personal data, including NINs and Bank Verification Numbers (BVNs), were being sold online for as little as ₦100 (approximately $0.06 USD). This wasn’t an isolated breach but a symptom of a broader failure in data stewardship. Reports indicate that in the first quarter of 2023 alone, over 82,000 accounts were compromised, a 46% increase from the previous quarter, positioning Nigeria as one of the most breached nations globally during that period.

The consequences are dire. Exposed data fuels identity theft, financial fraud, and even physical crimes like kidnapping, where criminals exploit addresses and personal details. The economic toll is equally staggering, with global estimates suggesting that data breaches cost businesses millions annually—a burden Nigeria’s economy can ill afford as it navigates inflation and currency instability.

Root Causes: A Perfect Storm

Several factors converge to make Nigeria a hotspot for data leakage. First, there’s the issue of lax cybersecurity practices across both public and private sectors. Government agencies like the National Identity Management Commission (NIMC) oversees vast databases, yet incidents suggest vulnerabilities in their systems or those of third-party partners. While NIMC has denied direct breaches, the presence of citizen data on illicit websites points to weaknesses in the ecosystem—whether through insider threats, poor vendor oversight, or inadequate encryption.

Second, Nigeria’s rapid digital adoption has outpaced its regulatory and enforcement frameworks. The Nigeria Data Protection Act of 2023 was a step forward, aiming to safeguard personal information and impose penalties for breaches. However, implementation remains inconsistent. The Nigeria Data Protection Commission (NDPC) reported investigating 17 major breach cases in 2024, but with over 1,000 complaints received, the scale of the problem far exceeds current capacity. Fines and sanctions exist on paper, but enforcement is often undermined by resource constraints and, in some cases, corruption.

Third, public awareness is alarmingly low. Nigerians frequently share sensitive data with banks, telecoms, and even fraudulent websites, often unaware of the risks. Phishing attacks, ransomware, and social engineering thrive in this environment, exploiting both individuals and underfunded organizations that can’t afford robust defenses.

Read also: The most significant cybersecurity threat facing the tech ecosystem today

A Case Study: The NIN Debacle

Perhaps the most glaring example of data leakage in Nigeria is the exposure of NINs, a cornerstone of the country’s identity management system. In 2024, it emerged that even the NIN of a high-ranking government official was purchased online for a trivial sum, spotlighting the vulnerability of a system meant to unify and secure citizen data. NIMC has maintained that its databases remain intact, suggesting that leaks stem from external sources like telecoms or banks. Yet, this defense only highlights a deeper issue: the lack of a cohesive, secure data-sharing framework across entities handling citizen information.

This incident isn’t just embarrassing—it’s a national security risk. Criminals armed with NINs, BVNs, and addresses can impersonate individuals, access financial systems, or worse. The absence of a centralized, fortified data infrastructure leaves Nigeria exposed, with each agency or company operating as a potential weak link

The Broader Implications

Beyond individual harm, data leakage threatens Nigeria’s digital economy. Fintech companies, a bright spot in the nation’s tech landscape, rely on trust to onboard users. Breaches erode that trust, potentially stalling growth in a sector that has attracted billions in investment. Similarly, as Nigeria pushes for e-governance, citizens may hesitate to engage with digital platforms if they fear their data isn’t safe. Internationally, the country risks being seen as a cybersecurity liability, deterring foreign investment and partnerships.

Solutions: A Multi-Pronged Approach

Addressing Nigeria’s data leakage crisis requires a concerted effort across multiple fronts:

1. Strengthen Cybersecurity Infrastructure: Government and private entities must invest in advanced encryption, regular security audits, and real-time threat detection. Zero-trust architectures—where no user or system is inherently trusted—could significantly reduce insider threats and external breaches.

2. Enhance Regulation and Enforcement:The NDPC needs more funding and autonomy to enforce the Data Protection Act effectively. Penalties for negligence or wilful breaches should be swift and severe to deter lax practices.

3. Public Education: Awareness campaigns can empower Nigerians to recognize phishing attempts, secure their devices, and demand accountability from organizations handling their data. Simple steps like two-factor authentication could thwart many attacks.

4. Centralized Data Governance: A unified, secure framework for collecting, storing, and sharing citizen data across agencies would minimize vulnerabilities. Blockchain technology, for instance, could offer a tamper-proof ledger for identity management.

5. Private Sector Accountability: Banks, telecoms, and tech firms must be held to higher standards, with mandatory breach reporting and transparent remediation processes. Collaboration between sectors could also foster shared threat intelligence.

Nigeria stands at a crossroads. Its digital ambitions are laudable, but they rest on a foundation weakened by data leakage. As a cybersecurity analyst, I see this as a clarion call for action. The tools and knowledge to secure Nigeria’s data exist—what’s lacking is the will and coordination to deploy them at scale. Without swift intervention, the country risks not only economic losses but the erosion of public trust in its digital future. The time to act is now, before the next breach exposes yet another layer of this unfolding crisis.

Foluso is a seasoned security consultant with experience at Bloomberg and EasyJet, specializing in risk management and cybersecurity. With an MSc in Embedded Systems and Wireless Networks, he currently works at a top UK firm, bringing expertise in securing critical infrastructures