The National Identity Management Commission (NIMC) has taken decisive action to address concerns surrounding a data breach, leading to the restriction of access to the National Identification Number (NIN) database for licensed agents. The move follows revelations of unauthorized access by a third-party entity, expressverify.com, prompting investigations by regulatory bodies.
The Nigeria Data Protection Commission (NDPC) disclosed in a statement that ongoing investigations suggest that expressverify.com, initially authorized to provide verification services, may have gained access to NIN verification credentials through other licensed agents. As a result, NIMC has implemented remediation protocols, temporarily barring access to its database while investigations continue.
Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations at NDPC, emphasised the need for scrutiny of data processing by licensees, with clearance granted only to those demonstrating regulatory compliance. Limited access has been reinstated for establishments offering critical public services such as education and security, following a thorough review.
The investigation aims to identify the means through which expressverify.com obtained credentials and ascertain liability in accordance with existing laws. Additionally, intensified training programs will ensure personnel and licensees are well-versed in data protection regulations and protocols.
The NDPC underscores the importance of the NIN as essential data for sustainable development, urging citizens to remain vigilant when sharing personal information online. While efforts are underway to strengthen data protection measures, the public is encouraged to prioritize data privacy and security.
The data breach concerns stem from reports by the Foundation for Investigative Journalism (FIJ), revealing that expressverify.com had unrestricted access to NINs and personal details of Nigerian citizens. The website allegedly monetised access to the national identification database, raising significant privacy concerns.
Meanwhile, NIMC has responded to allegations, emphasising that NIN verification services are only offered through licensed partners. The commission has initiated a comprehensive investigation to address infractions and unwholesome practices in the enrollment and modification processes.
However, internal documents suggest a troubling reversal of security measures, with the reinstatement of the National Verification Service (NVS) facilitating unauthorised access to the database. Concerns have been raised regarding potential links between profiteering entities and NIMC staff, prompting calls for immediate action to safeguard private data.
In response to the escalating concerns, NIMC has temporarily suspended third-party Front-End Partners from engaging in NIN enrolments. The commission is conducting a revalidation exercise to address infractions and ensure compliance with data security standards.
Moving forward, stakeholders emphasise the need for stringent measures to protect private data and enhance transparency in the enrollment process. Collaboration between regulatory bodies, security agencies, and industry stakeholders is crucial to addressing vulnerabilities and safeguarding citizen privacy in the digital age.