The Federal Government has claimed that an unnamed “third-party” allegedly granted unauthorized access into the database of over 104 million enrolled citizens under the custody of Nigeria’s ID agency, the National Identity Management Commission (NIMC).

The Foundation for Investigative Journalism had published a report that detailed how XpressVerify, a private website, has unrestricted access to the National Identification Numbers (NINs) and personal details of every registered Nigerian. The report also revealed that the website has monetised the recovery of NINs and personal information on the Nigerian identification database managed by NIMC.

In what may underscore the scale of the data privacy breaches of private information of Nigerians and residents enrolled on the ID database of the country, the Federal ID agency had reported on its website that enrollment figures peaked at 104.16 million unique records, with Lagos, the nation’s commercial powerhouse, recording highest cumulative enrollment figure of over 11.4 million by December 31, 2023.

NDPC: Preliminary investigation claims ‘third-party’ may have allowed expressverify into NIMC database

Meanwhile, the Nigeria Data Protection Commission (NDPC), which launched an investigation into the exposed data breaches has claimed in the preliminary report released Thursday that an unnamed third-party was allegedly at the centre of the data privacy breaches.

NDPC, the nation’s Federal data protection agency stated in the report of its investigation that, “Following the reported incident of unauthorised NIN verification by expressverify.com, investigation reveals that a third-party who, among others, was originally authorised to provide verification services to citizens and genuine businesses might have allowed expressverify.com to use its NIN verification credentials to conduct verification. The circumstances surrounding this permission is still under investigation,” NDPC, the Federal data protection agency stated in the preliminary report of the investigation signed by Babatunde Bamigboye, NDPC Head of Legal, Enforcement and Regulations     

According to the NDPC report, “To remedy this incident, National Identity Management Commission (NIMC), in line with established protocols, barred all forms of access to its database. Though necessary, barring all forms of access affected genuine and crucial verification requests. After a painstaking review, limited access has been granted to few establishments that are providing public services such as education and security.”

The Nigerian data protection agency further stated that investigations are still underway by relevant agencies “to establish the medium through which expressverify.com obtained the credentials of bona fide third parties and to determine the liability of persons involved in line with extant laws.”

The NDPC report further stated thus: “At the moment, data processing by licensees generally are to be scrutinised and only those that are cleared based on credible evidence of regulatory compliance will be permitted to carry out NIN verification going forward.”

The Federal data protection agency said that it will conduct “series of intensive trainings” for personnel and licensees of NIMC to ensure that they are “abreast of the duty of care and the standard of care mandated by the Nigeria Data Protection Act, NIMC’s Privacy Policy and other relevant regulatory protocols.”

NDPC called on the public to see the NIN as what it described as “an essential data for sustainable development. 

According to the data protector, “While existing technical and organisational measures are being strengthened to ensure the protection of this data, it is important for citizens to ensure that they are not left unidentified in various frameworks for development. It is equally important to be vigilant when sharing personal information on various online platforms.”