The Executive Director of Paradigm Initiative, Gbenga Sesan, has raised serious concerns about data security in Nigeria following revelations of significant lapses at the National Identity Management Commission.
Sesan’s organisation, which advocates for digital rights and inclusion across Africa, discovered that National Identity Number slips were being sold for N100, exposing millions of Nigerians to potential identity theft and privacy breaches.
“Our data in Nigeria is not safe, and that is what we have established,” Sesan told a local newspaper. “It is not safe, not because we do not have the certification. The National Identity Management Commission claims they have certifications and, of course, they do.”
Despite those certifications, multiple incidents of data breaches had occurred, including recent ones, which NIMC had denied, he added.
In June, the commission issued a statement identifying fraudulent websites, including idfinder.com.ng, verify.ng, championtech.com.ng, trustyonline.com, and anyverify.com, involved in the illegal activity, warning citizens to beware of such sites.
NIMC reassured the public that robust measures were in place to safeguard the nation’s database from cyber threats, adhering to ISO 27001:2013 standards and complying with the Nigerian Data Protection Law.
Sesan added that securing data involved more than just certifications because it required ensuring that those responsible for security take action when breaches occur.
He criticised NIMC’s response, stating that officials even discouraged journalists from speaking to him about the issue.
“When the breach happened, NIMC kept denying it. They still went on some TV stations denying it,” Sesan stated.
Comparing Nigeria’s situation with global practices, Sesan noted, “There is no 100 per cent safe data anywhere in the world, nowhere. But once you find out that there is a leak, you trace the source of that leak, you punish the person and make it difficult for them to do it again.”
He stressed that the issue in Nigeria stemmed from a culture of impunity and the lack of corrective measures after breaches.
To illustrate the severity of the problem, Sesan revealed that his organisation had purchased data, including that of a minister and the head of the commission, to demonstrate the vulnerabilities.
He called for an immediate and thorough investigation, emphasising the need for accountability and stringent measures to prevent future breaches.
As Nigeria grapples with these alarming security lapses, Sesan’s exposé underscores the urgent necessity for robust data protection policies and enforcement to safeguard citizens’ personal information.
In March, the media reported that a website known as expressverify was monetising the recovery of NINs and personal information from the Nigerian identification database.
The website reportedly had unrestricted access to NINs and personal details of Nigerians registered in the nation’s identity database managed by NIMC.
This incident prompted the Nigeria Data Protection Commission to heighten scrutiny of NIMC licensees after the website breached data protection protocols.
Experts who spoke to The PUNCH earlier said that, although there were no cases of data breaches in the NIN database, illegal entries from third-party sources to endpoints had proliferated in the system.