How the data of Nigerian passport applicant got into the wrong hands

On June 23, 2025, a deeply unsettling story surfaced on Nigerian social media, highlighting the country’s persistent struggles with data security. Oluwadamisi Awe, a Nigerian citizen, took to X to recount how she was contacted via WhatsApp by a stranger who had obtained her passport application slip, which was used, shockingly, to wrap akara (fried bean cakes) purchased from a roadside vendor.

“@NISResponseNG Why is it so easy for someone’s privacy to be breached??! Someone just texted me on WhatsApp with a picture of my passport application slip, and it was used to sell akara. The slip contains every single piece of information about my life rn… This is not even funny. The guy then asked for my pictures on top.”

The sender, who claimed the slip was used to wrap the snack for him, casually asked for her photographs. The message, which included a photo of the slip containing her personal data like passport number, full name, birth date, and more, quickly went viral, igniting public outrage.

Meanwhile, the Nigeria Immigration Service (NIS), the agency responsible for processing passport applications, responded with a statement via its X account saying: 

“The Nigeria Immigration Service holds data privacy and protection in the highest regard. We utilise robust systems and protocols to safeguard and ensure that personal information submitted through official channels remains confidential and secure.

“However, breaches of this nature are often linked to the involvement of unauthorised third parties such as business cafes or touts during the passport application process. We strongly advise all applicants to apply directly and exclusively via the NIS official portal: passport.immigration.gov.ng, and follow through all official procedures on biometric capturing and passport collection.

“Engaging unscrupulous individuals or unauthorised agents exposes your sensitive data to misuse and puts your privacy at risk. We urge members of the public to avoid such practices and to report any suspicious activity to the nearest Nigeria Immigration Office or through our official channels.”

This story follows a troubling series of similar incidents.

In 2024, investigative reports by FIJ.ng and Paradigm Initiative exposed platforms like XpressVerify.com.ng and AnyVerify.com.ng, which were selling Nigerian citizens’ biodata for as little as ₦100. Details such as BVNs, NINs, and account information were being traded openly online, prompting lawsuits and regulatory scrutiny.

Also, in 2024, Meta was fined $220 million for the unauthorised harvesting of Nigerian user data, underscoring that even international tech giants are not exempt from the country’s data abuse.

Despite these high-profile cases, enforcement of existing laws and policies remains inconsistent. The 2019 Nigeria Data Protection Regulation (NDPR) and the more recent 2023 Data Protection Act have not been matched by robust institutional accountability. Citizens, caught in the middle, have little recourse when their private information is breached or exploited.

Experts trace the crisis to a fragmented data infrastructure. Government agencies such as the Nigeria Immigration Service (NIS), the National Identity Management Commission (NIMC), and the Nigeria Data Protection Commission (NDPC) often operate in silos, with unclear mandates, overlapping roles, and limited coordination.

Although the NIS has launched digitisation efforts through its Enhanced E-Passport system, much of the application process remains manual. Printed documents like Awe’s slip are easily discarded or leaked into informal networks, ending up with touts or vendors. This lack of proper disposal protocols is a key vulnerability.

The real-world impact of unauthorised data exposure 

The cost of these breaches is not just institutional; it is deeply personal and national.

1. Personal security risk: Victims of data leaks face identity theft, scams, and personal harassment. In Awe’s case, she received lewd messages from the stranger who found her data. Without strong enforcement, such invasions of privacy are likely to continue.

2. Loss of institutional trust: Repeated scandals undermine public trust in agencies like the NIS, Correctional Services, and financial institutions. If citizens cannot trust the systems that govern identity, security, and mobility, national development is imperilled.

3. Economic and diplomatic fallout: Data insecurity has far-reaching consequences for international business and diplomacy. Nigeria ranked fourth in Africa for data breaches in 2024, according to Surfshark, with 19.3 million accounts compromised and 119,000 more in Q1 2025 alone. Poor data governance deters foreign investors and weakens compliance with global regulations like the EU’s GDPR.

What must be done

Advocacy groups, cybersecurity professionals, and policy experts agree: urgent reform is needed.

• Define clear agency roles: The NDPC, NIMC, NIS, and related bodies must establish coordinated mandates, secure communication channels, and shared incident-response protocols.

• Enforce public sector accountability: Public institutions must be held to the same data protection standards as private companies. The NIS must adopt regular third-party audits, staff training, and secure disposal methods for physical and digital documents.

• Promote transparency: When breaches occur, agencies must publicly disclose root cause analyses and follow-up actions. Citizens deserve timely information and remedies.

• Strengthen the NDPC: The commission needs more authority, funding, and staffing to investigate, enforce, and educate the public on their data rights.

Until reforms are implemented, Nigerians remain at risk, vulnerable to exploitation, fraud, and humiliation in system that too often treats their personal information with disregard. The akara-wrapped passport slip may fade from the news cycle, but the implications must not.