Data breaches can be far more than a temporary terror — they may change the course of a life. Businesses, governments and individuals may experience huge complications from having sensitive information exposed, a reason that calls for fortification of the identity management system in Nigeria, ADEYEMI ADEPETUN writes.
With more data about peoples’ lives being stored online such as health care, financial and travel records, it is becoming substantially harder to track where one’s information is available and who can access it. Due to this, data breaches are becoming substantially more common and thus identity theft is more commonplace in the current digital landscape.
Data breaches have become the order of the day, from countries to regions and regions to the world. Nigeria has not been an exception. There is no gainsaying the fact that Nigeria has a severe problem of poor recordkeeping and maintenance and the effects of this are seen almost daily. Public institutions and private firms are both culpable and vulnerable because up to eight in 10 firms in Nigeria experience cybersecurity breaches regularly.
A global study released by Surf shark, an Amsterdam-based cybersecurity firm, ranked Nigeria as the 32nd most breached country in the first quarter of 2023. According to the report, Nigeria had 82,000 leaked accounts from January to March 2023, representing a 64 per cent increase from the previous quarter. It added that data breaches globally declined in Q1 2023, with 41.6 million accounts breached. This is almost 50 per cent less than the nearly 81 million recorded in Q4 2022.
Indeed, data breaches are not abating in Nigeria and the rest of the world, and they may not abate anytime soon. About a week ago the National Identity Management Commission (NIMC) came out to deny that its database was compromised. The breach was traced to a data privacy organisation called XpressVerify.
XpressVerify was reported to have had unrestricted access to the National Identification Numbers (NINs) and personal details of all Nigerians registered in the country’s identity database managed by NIMC.
Additionally, it indicated that XpressVerify had exploited this access to monetise NINs and citizens’ personal information stored in the database. According to the spokesperson for NIMC, Kayode Adegoke, the Commission provided NINverification and other services through licensed partners, and XpressVerify does not fall under this category. This revelation has sparked worries among citizens about the safety and security of their data.
NDPC to probe the situation
WORRIED by the alleged privacy breach of citizens’ data at NIMC, the Nigeria Data Protection Commission (NDPC) called for a full-scale investigation into the alleged unauthorized access to the personal data of enrollees in the database of the commission.
The National Commissioner, NDPC, Vincent Olatunji, in a statement signed by Babatunde Bamigboye, the Head of Legal, Enforcement and Regulations, noted that this investigation is a further regulatory measure to be taken by NDPC in the wake of public concerns over reports of illegal access to personal data of enrollees by a shadowy entity called XpressVerify.com.
The statement read in parts, “It will be recalled that before now, NDPC has been engaging with NIMC on fostering adequacy of data protection. To this end, NDPC held training with relevant officers of NIMC in early February 2024. This is one in a continuum of measures being put in place by the Federal Government to ensure data privacy and protection.
“We note that NIMC has initiated an internal investigation and it has immediately given full assurances of cooperation with NDPC to get to the root of the allegation and to review existing mediums through which any entity may lawfully verify the identity of enrollees on its platform. Further, NDPC will work with relevant agencies to audit the trials of the alleged unauthorised data processing and monetization of the same and those who are found culpable for violating the Nigeria Data Protection Act, 2023 will be brought to justice.
“The commissioner further directed that preliminary findings of the investigation should be made public within seven days”, the statement reads.
What happened?
It appeared there is more to what the public has been fed as regards the breach. It is a known fact that data privacy is a right, not a privilege. It was gathered that the NIMC tokenization platform was designed to safeguard the identity and personal information of citizens and residents. This process appeared not to have been deeply explored by the NIMC lately, hence the breach.
Checks showed that the tokenization does not permit raw NIN verification. In fact, the whole essence is User Consent Management and data privacy, where there is a policy requirement to seek the consent of the user following industry best practices, not merely a piece of paper with a signature.
By rolling back to the NIMC NIN Verification Service (NVS), an action recently directed by the NIMC through a memo signed by the Director/Head of Business Development and Commercial Services, Carolyn Folami, it means that anyone who has verification licence and a NIN can query data with or without consent.
According to an expert, the ID holder also is not aware of the verification and who has access to their data. Likewise, there are limited encryption controls in place. NIMC can mention VPN, but an insider claimed the commission does not have VPN servers, meaning that NIMC depends on foreign servers and the data is not encrypted, just the VPN tunnel.
Indeed, network-wise, what happened as per the breach is just the very latest. Binance was able to filch $26 billion from the Nigerian economy due to the NVS vulnerability as they used a proxy.
Consequently, there is the implication of this to the agents and sub-agents. As it is, it appears NIMC has no idea who these sub-agents are and cannot control them. The tokenisation does not permit and store and forward mechanisms and has full transparency of the verification exercises.
The application to the overall database of the NIMC appears deep, especially insecurity. The World Bank identified this in 2017 and advised on the development of the tokenization, which was then implemented. But the current breach appears 100 per cent and it is unlikely to end if NIMC maintains the system based on the memo by Folami.
Industry sources fear that it appears the new management could be wittingly or unwittingly undoing all the data privacy initiatives that were put in place.
Calls for urgent measures to bridge breaches
THE Paradigm Initiative, a civil society organization, has called for prompt measures against breaches at the commission by XpressVerify.com.
The organization said the breach is a violation of the National Data Protection Act, citizens’ constitutional right to privacy and a blatant disregard for the law and a betrayal of public trust.
Emphasising the critical need for intervention from both the NIMC and the NDPC to address this alarming violation of citizens’ privacy rights, Paradigm Initiative has urged immediate action to be taken.
The organisation urged the NDPC to expeditiously and independently investigate the matter, ensuring accountability for all parties involved in compromising the security of the National Identity Database.
“Every Nigerian deserves to have confidence that their personal information is kept secure and safeguarded. We demand clear steps from NIMC to rectify this breach and prevent its recurrence,” Paradigm Initiative stated.
THE Director-General and CEO of NIMC, Abisoye Coker-Odusote, clarified that the commission provides NIN verification and related services exclusively through licensed partners.
According to her, “The Commission confirms that NIN verification and other services are conducted solely through licensed partners. However, Xpress Verify does not fall within the Commission’s list of licensed partners.
“We appreciate our media partners and the individuals, who exposed this issue, assure Nigerians and legal residents that there has been no form of data breach, and citizens’ data remains secure and protected within Nigeria’s National Identity Database.”
