An extensive data breach at BestFin Nigeria, a Nigerian fintech company, has led to the exposure of highly sensitive personal information of approximately 846,000 customers who use its loan application service. This information was reported by Cybernews to have included private communications among other personal details. The discovery of the breach, which involved an unsecured MongoDB database, has raised significant concerns regarding the safeguarding of data privacy and the ethical conduct of digital lending applications within Nigeria.
On the 2nd of July, 2024, Cybernews came across a 300-gigabyte database that was not protected by any security measures. This database was traced back to BestFin Nigeria, the creators of the iCredit app, which is a popular online loan service in Nigeria. The types of sensitive personal information that were left exposed included but were not limited to, full names, phone numbers, email addresses, and residential addresses of the app’s users.
Furthermore, the company was found to have collected an extensive amount of private data from its users. This included comprehensive lists of contacts, a record of all the applications installed on the users’ devices, and text messages that went beyond loan-related communications. Even more concerning was the discovery of logs pertaining to the validation of users’ Bank Verification Numbers (BVNs), which is a sensitive financial identifier.
The extent of the data collected by BestFin Nigeria, particularly the inclusion of personal communications, is alarming and has prompted questions regarding the legality of such practices under the existing Nigerian Data Privacy Regulations. These regulations explicitly prohibit the unauthorized access to users’ contact lists and private messages.
The breach also uncovered unethical methods used by the company’s loan recovery agents, including harassment, blackmail, and threats to publicly expose borrowers’ private financial data. These tactics are indicative of a larger issue within Nigeria’s digital lending industry, where aggressive and often unethical debt collection methods are reportedly widespread.
Additionally, the database was found to have been targeted by an external malicious actor, as evidenced by a ransom note demanding 0.01 bitcoin (equivalent to approximately $640 at the time) for the restoration of access to the database. This suggests that the sensitive information of BestFin Nigeria’s customers may have already been accessed by cybercriminals, posing an even greater risk to those affected.
Although this incident is isolated, it casts a spotlight on the practices of digital lending services across Nigeria, many of which have been subject to regulatory scrutiny. In the wake of increasing concerns, the Nigerian government has pledged to strengthen data privacy laws in the year 2024. However, this particular incident underscores the urgent need for more rigorous enforcement and enhanced consumer protections.
Despite Cybernews’ attempts to notify BestFin Nigeria about the data leak, the database remained unsecured and accessible until the 26th of August, 2024. Customers who have utilized the iCredit app are being cautioned to remain alert for potential phishing attacks and other malicious attempts to exploit their compromised data. This data breach serves as a severe warning about the dangers that consumers face when their sensitive personal information is not adequately safeguarded by the entities that collect and store it.
