• Tuesday, July 23, 2024
businessday logo


NIMC gets heat for data breaches, commission fingers 5 illegal websites

Nigerians with NIN now 107 million — NIMC

Following recent data leaks, the National Identity Management Commission has come under increased scrutiny over the security of Nigerians’ personal information.

This follows recent discoveries of websites selling National Identification Number (NIN) information. NIMC, however, insists that its database remains uncompromised and that it has not authorised any website or entity to sell or misuse NIN data.

Over 107 million NINs have been issued according to NIMC. In a statement signed by Kayode Adegoke, head of Corporate Communications, NIMC, the commission warned Nigerians about five websites illegally selling Nigerian’s personal information. These websites include idfinder.com.ng, Verify.Ng/sign in, championtech.com.ng. trustyonline.com, and anyverify.com. The statement emphasised that the sites are unauthorised data harvesters.

“NIMC urges the public to disregard any claims or services these websites offer and should not give their data as they are potentially fraudulent and data provided by the public on such websites are gathered and stored to build the data services they illegally provide,” Adegoke said.

The commission highlighted that it has taken measures to protect the nation’s database from cyber threats, adhering to the ISO 27001:2013 Information Security Management System Standard with annual recertification, and strict compliance with the Nigerian Data Protection Law.

Nigerians were advised to avoid giving their data to unauthorised and phishing sites to prevent data harvesting and the compromise of personal information. The commission clarified that its licensed partners or vendors are not authorised to scan or store NIN slips but only to verify NINs through approved channels.

NIMC added that it is currently working closely with security operatives to apprehend online vendors harvesting Nigerians’ NIN information.

However, concerns remain about how these data harvesters obtained access to a pool of NIN data. Yinka Ogunnubi expressed on X, “How exactly are they data harvesters when they are actually providing sensitive private data of Nigerians for people prepared to pay for them? You need to do more than issuing statements to reassure Nigerians that their data is safe and can’t be purchased for a fee on the net.”

In March, the Foundation for Investigative Journalism revealed that XpressVerify.com had illegal access to NIN’s database. This led to investigations by NIMC and the Nigeria Data Protection Commission (NDPC). After this, the NDPC disclosed that third-party agents were responsible for the breach.

NIMC barred third-party agents from access to its database after this. Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, NDPC, said, “To remedy this incident, NIMC, in line with established remediation protocols, barred all forms of access to its database.

“Though necessary, barring all forms of access affected all genuine and crucial verification requests. After a painstaking review, limited access has been granted to few establishments that are providing pivotal public services such as education and security.”

On June 20, 2024, Paradigm Initiative (PIN), a digital advocacy organisation, revealed that several unauthorised websites still claim to hold and provide access to Nigerians’ sensitive personal and financial data for as little as 100 Naira.

It highlighted that AnyVerify.com.ng, a website commercialising Nigerians’ personal and private data, has been operating in Nigeria’s digital space since November 2023.

“These include personal data such as the National Identity Number (NIN), the Bank Verification Number (BVN), a virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers,” it said.

According to PIN, AnyVerify.com.ng is now offline (following its report), but it is pursuing legal action to ensure NIMC and the NDPC take appropriate measures this time, “unlike the March 2024 leak (and others before) that ended with press statements and inadequate regulatory action.”