The Nigeria Data Protection Commission (NDPC) investigated the March incident and determined that NIMC’s security infrastructure was compliant, attributing the breach to an NIMC agent misusing access privileges. Arrests were made in connection with the breach, though NIMC’s spokesperson denied any wrongdoing at the time....Read The Full Story Here ▶
NIMC typically licenses its database to banks, fintech companies, and other authorized partners for a fee. The fact that AnyVerify is not among these licensed partners raises serious concerns about how it accessed the database.
Gbenga Sesan, executive director of the Paradigm Initiative—a non-profit organization that initially uncovered the issue—stated, “We tested the website, archived it, and successfully purchased NIN slips for Bosun Tijani, the Minister of Communications, Innovation and Digital Economy, and Vincent Olatunji, the commissioner of the NDPC.”
Unlike NIMC and its official partners, AnyVerify, which brands itself as a verification tool, lacks a vetting process to screen out malicious actors. The website merely requires users to submit their email addresses and NINs—the same data they seek to verify. Post-registration, users are prompted to fund a wallet with at least ₦400 before utilizing the site’s services.
An anonymous ethical hacker commented, “Either NIMC is failing in data protection by relying on cloud storage, or an insider is facilitating unauthorized data retrieval.”
Launched in November 2023, AnyVerify saw 567,990 visits in February 2024 and 188,360 visits in April 2024, according to data from the Paradigm Initiative.
These data breaches have occurred only a few months after the National Identity Management Commission was moved from the Ministry of Communications, Innovation, and Digital Economy to the Office of the Secretary to the Government of the Federation.
