Data Breach: Why NIMC’s response did not do enough to allay the fears of Nigerians

Ejike Kanife
NIMC’s response has raised more questions than answers, like how did AnyVerify get Bosun Tijani’s NIN?
Nigerians Will Pay 17% of Minimum Wage for National ID Card Renewal, but NIMC Should Prioritise Solving NIN Challenges

During the week, a digital rights organisation, Paradigm Initiative broke the news that a nefarious website,, had access to the sensitive data of Nigerians as collected by data collection agencies like the National Identity Management Commission (NIMC) and was being sold for the beggarly sum of 100 naira.

This information includes personal data such as the National Identity Number (NIN), Bank Verification Number (BVN), virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers. All these are sold by this website to any interested party for the sum of N100.00 (One Hundred Naira Only) for each data request.

To prove their point, the digital rights organisation purchased the NIN slips of Nigeria’s minister of communication and digital economy, Dr Bosun Tijani, and the national commissioner of the Nigerian Data Protection Commission (NDPC), Dr Vincent Olatunji.

See also: Data breach: NIN, BVN of Nigerians sold online for just 100 naira- Paradigm Initiative

Of course, this did not go down well with millions of Nigerians who questioned the safety of their personal information in the hands of the government.

Dr Bisoye Coker-Odusote, Acting Director-General of NIMC

In reaction, NIMC denied any breach, blaming Nigerians for giving out their information to “data harvesters” who resell the same for 100 naira, before asking them to only listen to information on the matter dished out by “verified sources”.

The statement conveniently omitted the part where the information of two ranking officials of the federal government was readily obtained, cheaply and easily.

NIMC’s response begs more questions

The creators of the statement might have patted themselves on the back for a job well done, But, their response elicited more questions than answers. Chief of which is; how did an unauthorised website get the personal information of Nigerians?

Or, more clearly, how did they get the NIN slips (and who knows what else?) of Doctors Bosun Tijani and Vincent Olatunji?

NIMC denounces NIN, BVN data breach allegations, warns Nigerians against phishing sites
The statement by NIMC…

The commission’s statement reads in part:

NIMC urges the public to disregard any claims or services these websites offer and should not give their data as they are potentially fraudulent and data provided by the public on such websites are gathered and stored to build the data services they illegally provide“.

Going by this response, can we conclude that Dr Tijani and Dr Olatunji gave away their NIN slip to the website owners? If that is not the case, how else did they get the information that should only be found on a government-owned database?

What is certain is that the website proprietors likely got the data of hundreds of millions of Nigerians the same way they got those of the two doctors.

Also, the commission claimed that it was “currently working closely with security operatives to apprehend these elements masquerading as online vendors, and they will be made to face the full wrath of the law”.

In February, FIJ exposed, for selling the data of Nigerians. Then, just like now, the website was quickly taken down. NIMC, in a statement promised to investigate and prosecute the perpetrators. And, that was the end of it.

Data breach: NIN, BVN of Nigerians sold online for just 100 naira- Paradigm Initiative
AnyVerify is a successor of XpressVerify

The pertinent question is; were the online vendors reported by FIJ made to face the full wrath of the law?

Promises to follow through on prosecutions such as this are fast becoming cliches.

It is incredible how the websites were taken down, less than 24 hours after it was exposed by the media.

Plus, this time, the commission included four other platforms peddling personal information with the assurance that it would apprehend them. Somehow, NIMC wants Nigerians to believe it has been tracking these websites for a while yet they have been left to the detriment of many citizens. If NIMC had been on top of its game, wouldn’t have been a problem in the first instance.

Then, another interesting part of NIMC’s statement reads:

The Commission, at this moment, assures the public that the data of Nigerians has not been compromised, and the Commission have not authorised any website or entity to sell or misuse the National Identification Number (NIN) amongst all the identities stated in the report.”

It is not enough to claim, in the typical Nigerian lip-service fashion, that the data of Nigerians are safe after ‘a whole‘ minister’s information was bought for a beggarly sum of 100 naira. What exactly has the NIMC done to guarantee the safety of the data in its care?

It is improbable that all of these websites, with domain names ending with .com.NG, are proving too difficult to track down by purportedly the best digital heads in Nigeria.

This is one of the areas where Dr Bosun Tijani’s response trumps anything the NIMC had released. Not only did the minister refuse to deny there was a breach, he said that the NDPR “has since started a thorough investigation as to the circumstances surrounding this alleged breach.”

NIN data for N100: "Minister of Interior, NIMC, NDPC investigating breach"- Minister of Communications, Bosun Tijani says
Bosun Tijani, Nigeria’s Minister of Communications, Innovation and Digital Economy

The minister then went on to exhaustively reel out everything the MDAs under his ministry have done to strengthen digital public infrastructure (DFI) and ensure that data within the ministry are handled with all the sensitivity they require, all following a whitepaper he had prepared.

But alas, the minister’s efforts are quite limited in their influence. One could only hope such thoroughness were to be inculcated by the actual data collecting agencies like NIMC, CAC, INEC, FIRS and others.

As we await the result of the minister’s investigation, if it ever comes in, one can only hope it does the barest minimum; tell us exactly how they got Dr Bosun Tijani’s NIN.

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!

Register for Technext Coinference 2023, the Largest blockchain and DeFi Gathering in Africa.

Technext Newsletter

Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!