After going through hell, Nigerians’ data up for peanuts

4 months ago 32

In 2012, the Director of the Federal Bureau of Investigation (FBI), Robert Mueller, said there are only two kinds of companies – those that have been hacked, and those that will be. Lately, that has proven to be most valid with routine hacking and data breaches, leading to unauthorised sales of personal data, identity theft, and misuse of individuals’ National Identification Numbers, among others. ADEYEMI ADEPETUN writes on the urgent need to curb the criminal trend of some private organisations harnessing peoples’ data for personal gains and likely complicity of government agencies involved in the sham.

For the umpteenth time, the National Identity Management Commission (NIMC) has come under fire. Reason: Rampant cases of data breaches are becoming synonymous with the agency, and the challenge is fast exposing the capabilities of its Front End Partners (FEP). This development if not nipped in the bud, poses a grave danger to individuals and businesses in the country.

Paradigm Initiative (PIN), a digital hub spread across Africa, recently raised the alarm after it discovered that a website was selling the personal data of Nigerians illegally online.

Emphasising on breach of fundamental rights to privacy, Paradigm Initiative, in a publication, titled: “Major Data Breach: Sensitive Government Data of Nigerian Citizens Available Online for Just N100,” called for urgent action by concerned authorities.

Paradigm Initiative further claimed that a particular firm, AnyVerify.com.ng distributes personal and private data of Nigerians under the guise of providing verification services, just as it stressed that the act of unauthorised access to the data of Nigerian citizens by AnyVerify.com.ng, and the commercialisation of same violates the provision of Section 37 of the Constitution of the Federal Republic of Nigeria 1999.

Checks by The Guardian showed that the website claimed to verify data such as National Identity Number (NIN), Bank Verification Number (BVN), driver’s licence, International Passport, Tax Identification Number (TIN), Permanent Voter’s Card (PVC), and phone numbers, among others.

But PIN alleged that “all these are sold by this website to any interested party for the sum of N100.00 for each data request. “Due to the severe implication for millions of Nigerians, we have through our legal partners, Vindich Legal, served a pre-action notice to the following government agencies: National Identity Management Commission (NIMC), Nigeria Data Protection Commission (NDPC), the Nigeria Immigration Service (NIS), the Federal Inland Revenue Service (FIRS), the Central Bank of Nigeria (CBN), the Independent National Electoral Commission (INEC), the Federal Road Safety Corps (FRSC), and the office of the Attorney General of the Federation (AGF).”

Indeed, this latest discovery came almost 10 weeks after it was first discovered that a site, that had access to the NIMC server, was harnessing and selling data of Nigerians, albeit freely.

In March this year, the Foundation for Investigative Journalism (FIJ) published a story about how XpressVerify, a private website, accesses data of Nigerians for personal gains.

The FIJ found out that the website had access to the NIN and personal details of every registered Nigerian, and for as little as N200, anyone could access details such as phone numbers, NIN, address, and even photographs.

Even though the rise in data breaches is global because of the huge movement of the world online. Nigeria’s case is becoming worrisome because of a possible and largely irreparable dent on businesses and individuals.

In April, The Guardian reported that over 4,000 cyberattacks were recorded daily in the country. This was even as Nigeria ranked fifth on the crime index.

A technology security firm, Nitroswitch noted that systems, networks, and programmes come under digital attacks in the country with the number exceeding 4,000 daily.

Presently, Nigeria ranks fifth in a global report on sources of cybercrime activities, coming behind Russia, which ranked number one, Ukraine, China, and the United States, which occupied the second, third, and fourth positions respectively.

According to researchers from the Department of Sociology, University of Oxford, and the University of New South Wales, Canberra, which produced the research, it is the first-ever World Cybercrime Index, which identified the globe’s major cybercrime hotspots by ranking the most significant sources of cybercrime at a national level.

Other countries that make the top 10 list of cybercrime hotspots include Romania, North Korea, the United Kingdom, Brazil, and India.

Further, as of 2023, a global study by Surfshark, an Amsterdam-based cybersecurity firm, ranked Nigeria as the 32nd most breached country in the first quarter. Per the report, Nigeria had 82,000 leaked accounts from January to March 2023, which represented a 64 per cent increase from the previous quarter. It added that data breaches globally declined in Q1 2023, with 41.6 million accounts breached. This was almost 50 per cent less than the nearly 81 million recorded in Q4 2022.

The Lead Researcher at Surfshark, Agneska Sablovskaja, was not relieved by this reduction in data breaches. “However, the fact that over 40 million accounts were breached in just a few months is still a cause for concern.

Those whose data were compromised are at an increased risk of being targeted by cybercriminals as their personal information can be utilised for phishing attacks, fraud, identity theft, and other serious cybercrimes,” she said.

Indeed, the alarming surge of data breaches in Nigeria and their potential consequences raise the urgent need for proactive measures to protect sensitive information.

Data breaches have severe implications for both individuals and businesses. Personal information, including financial records, medical data, and identification details can be compromised, leading to identity theft, financial fraud, and reputational damage. It also damages the trust of customers and the overall reputation of the business.

Even though the Nigeria Data Protection Commission (NDPC) found the NIMC’s security infrastructure compliant, and indicated that the March breach was due to access abuse by an NIMC agent, it is extremely difficult to absolve the Commission of the crisis. Its lack of capacity, as well as, underhand dealings by some staff members constitute a major threat to NIN issuance with several backlogs yet to be cleared.

Like it did some months back, the NIMC promptly debunked the claim of data breach.

According to the Head of Corporate Communications, NIMC, Kayode Adegoke, there is no exposure of sensitive data of Nigerian citizens as it concerns the Commission amongst many other data-collecting agencies.

While assuring the public that the data of Nigerians has not been compromised, he said the Commission has not authorised any website, or entity to sell, or misuse the NIN amongst all the identities stated in the report.

Adegoke revealed that websites including idfinder.com.ng; Verify. Ng/sign in, championtech.com.ng, trustyonline.com, and anyverify.com are data harvesters not authorised by the NIMC to access or manage sensitive data.

“NIMC urges the public to disregard any claims or services these websites offer and should not give their data, as they are potentially fraudulent and data provided by the public on such websites are gathered and stored to build the data services that they illegally provide,” he stated .

Consequently, Adegoke said that the Commission had taken robust measures to safeguard the nation’s database from cyber threats – a secure, world-class, full-proof database is in place.

He disclosed that the commission’s infrastructure meets the stringent ISO 27001:2013 Information Security Management System Standard, with annual recertification and strict compliance with the Nigerian Data Protection Law.

The NIMC further advised Nigerians to avoid giving their data to unauthorised and phishing sites, stressing that this poses the danger of data harvesting, and comprises individual data.

According to him, the Commission reaffirms its commitment to upholding ethical standards in data protection in line with the Federal Government’s directives and data privacy regulations.

He said, moreover, licensed partners or vendors are not authorized to scan or store NIN slips but to verify NINs through approved channels.

Adegoke disclosed that the Commission is currently working closely with security operatives to apprehend these elements masquerading as online vendors, stressing that they will be made to face the full wrath of the law.

MEANWHILE, to further buttress its claim, PIN through its X handle, on Saturday, revealed that AnyVerify.com.ng has been taken offline.

“Following our press conference on another website that was selling sensitive data of Nigerians, including those of high-profile government officials and security agents, http://AnyVerify.com.ng has now been taken offline. We are taking legal action to force @nimc_ng and @ndpcngr to do the right thing this time, unlike the March 2024 leak (and others before) that ended with press statements and inadequate regulatory action.

“As a part of that process, we archived the website that has now been taken offline to hide trails, we have proof that they were selling data through chat apps, we set up an account that easily bought the NIN slips of the Digital Economy Minister and National Commissioner of Nigeria’s Data Protection Commission, and we have found many other such websites that are still active online!”

A telecoms expert, Kehinde Aluko, said that the NIMC would need to do more to convince Nigerians that their data are safe.

Aluko noted that beyond the rhetoric, harnessing and selling peoples’ data without their consent is a major case of breach of data laws.

According to him, the 1999 Constitution (as amended) recognises privacy as a fundamental human right and guarantees the protection of citizens, their homes, correspondence, telephone conversations, and telegraphic communications.

He said this birthed the enactment of the Nigerian Data Protection Act 2023 and establishment of the Nigeria Data Protection Commission.

Aluko, also a lawyer, said that the Act provides guidelines on the management of personal data to institutions and agencies of government such as the National Identity Management Commission, which handles the national database of Nigerians.

According to him, Section 26 (1) of the National Identity Management Commission Act 2007 makes it unlawful for the commission to give out information about Nigerians contained in the database, except for reasons bothering national security.

“No person or body corporate shall have access to the data or information contained in the Database concerning a registered individual entry except with the authorisation of the Commission and only if: (a) an application for the provision of the information to that person is made by or with the authority of that individual; or (b) that individual otherwise consents to the provision of that information to that person,” the Act stated.

Asked to address how safe the country’s data is, a United States-based, cybersecurity expert, Ola Olanipekun, said: “For successful data breach prevention, an organisation needs to prioritise its internal network, ensuring a robust defense even if external barriers are breached. This can be likened to a castle with multiple layers of walls; even if the outer wall is compromised, the inner sanctum remains protected. By adding layers of resistance, we complicate the cyberattack pathway, making it increasingly difficult for hackers to reach their ultimate goal—stealing or compromising sensitive data.”

Author

  • Adeyemi Adepetun

Visit Source