Paradigm Initiative has uncovered a major data breach in which a website, AnyVerify.com.ng operating in the Nigerian digital space since November 2023 allegedly trades in sensitive personal and financial data of Nigerian citizens “for as little as ₦100,” according to the civil society organisation (CSO).

“This alarming development presents a major breach of the fundamental rights to privacy, a breach of data privacy rights and poses significant risks to individuals and the national economy,” Paradigm Initiative, said in a statement made available to Technology Times detailing the report of its investigations which found that “several unauthorised websites are claiming to hold and provide access to sensitive personal and financial data of Nigerian citizens for as little as ₦100.” 

According to Paradigm Initiative, “Due to the severe implication for millions of Nigerians, we have through our legal partners, Vindich Legal, served a pre-action notice to the following Government Agencies: National Identity Management Commission (NIMC), Nigeria Data Protection Commission (NDPC), Nigeria Immigration Service (NIS), Federal Inland Revenue Service (FIRS), Central Bank of Nigeria (CBN), Independent National Electoral Commission (INEC), Federal Road Safety Corps (FRSC) and the office of the Attorney General of the Federation (AGF).”

Describing the findings as “a shocking revelation” the CSO is calling on relevant stakeholders to address the data privacy crisis. “We call upon all stakeholders,” the CSO said, “including government agencies, financial institutions, the private sector, media institutions, researchers, and civil society organisations, to collaborate in addressing this data privacy crisis. Protecting the personal information of Nigerian citizens is of paramount importance, and collective efforts are needed to restore trust and ensure the security of our nation’s data infrastructure. Nigerians have made a lot of sacrifices and trusted the government with their personal data in exchange for a social contract that includes security, so it would be ironic to leave all of that data in the hands of bad actors such as kidnappers, burglars and terrorists.”

Paradigm Initiative said that from its research, “AnyVerify.com.ng is a website involved in the commercial distribution of personal and private data of Nigerians. On its webpage, a drop-down displaying the myriads of data services which the website renders can be observed. These include personal data such as the National Identity Number (NIN), the Bank Verification Number (BVN), a virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers. All these are sold by this website to any interested party for the sum of N100.00 (One Hundred Naira Only) for each data request.”

The website was visited five hundred and sixty-seven thousand, nine hundred and ninety (567,990) times in February 2024 and one hundred and eighty-eight thousand, three hundred and sixty (188,360) times in April 2024, according to the CSO. 

Key concerns of data breach:

According to Paradigm Initiative, the data leaks by the website have raised several issues which the CSO outlined below:

Privacy Violation: The unauthorised access to personal data is a blatant infringement on the privacy of Nigerian citizens. The dissemination of such information could lead to identity theft, financial fraud, and other malicious activities, including data owners being targeted by burglars, kidnappers or terrorists who buy data that includes home addresses.

Economic Impact: The availability of sensitive financial data online can undermine the stability of Nigeria’s banking system. Fraudulent transactions and identity theft can erode public trust in financial institutions, potentially leading to a financial crisis. This is exacerbated by recent findings of huge losses suffered by financial institutions in Nigeria due to digital manipulation.

National Security: The breach of driver’s licence information and other personal data can compromise national security. Such information can be exploited by criminal elements for unlawful activities, posing a threat to the safety and security of the nation.

Legal and Ethical Implications: The existence of these websites highlights significant gaps in data protection and cybersecurity measures within the country. It underscores the urgent need for robust data protection laws and stringent enforcement mechanisms to safeguard citizens’ data.

Government Response:

The Nigerian government is urged to take immediate and decisive action to address this critical issue. This includes:

• Conducting a thorough investigation to identify these illegal online activities.
• Enhancing cybersecurity measures to prevent further data breaches.
• Implementing Nigeria’s Data Protection Act, strengthening the Nigeria Data Protection Commission (NDPC), and guaranteeing the independence of the NDPC, to ensure the privacy and security of citizens’ information.
• Raising public awareness about the risks associated with data breaches and providing guidance on how individuals can protect themselves.

The CSO said that it is seeking several court reliefs including a declaration that the act of unauthorised access to the data of Nigerian citizens by AnyVerify.com.ng and commercialization of the same violates the provision of Section 37 of the Constitution Of The Federal Republic Of Nigeria 1999 (CFRN).

 It also seeks “A Declaration that by virtue of Section 30 And Section 39 Of The Nigeria Data Protection Act (NDPA) 2023, all involved agencies of government have a duty to implement appropriate technical and organisational measures to ensure the security and integrity of citizens’ sensitive personal data.”

 Paradigm Initiative also wants an order of court mandating a full investigation and publication of the investigative report regarding the personal data breach occasioned by the data leak to AnyVerify.com.ng and its customers by the National Identity Management Commission (NIMC).

Paradigm Initiative is also praying the Nigerian court to direct all involved agencies of government to release official information to the public regarding the activities of their agents and sub-licensees. 

Additionally, the CSO seeks “an Order of court directing the involved agencies of government to provide restitution in form of compensation to data subjects who have been affected by the data leak.” 

The CSO recalls that its discovery was preceded by an investigation by Nigerian media organisation, Fij.ng, which had uncovered a similar data breach by another website, www.XpressVerify.com.ng.  

“On the 16th of March, 2024,” the CSO said, “an online media outlet, Fij.ng, published a story on its platform, with the headline, “ALERT: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and Is Making Money From It.” In that publication, the media outlet presented an investigative story of a website with the web address, www.XpressVerify.com.ng, that had access to the personal data of Nigerian citizens and commercialised the data for personal gain. Even though the website was quickly taken down, Paradigm Initiative is currently seeking legal redress on behalf of Nigerian citizens.”