The recent revelation that Nigerians’ personal data were available for purchase online at a fee was long expected, considering the unseriousness and laxity with which data acquisition and protection have been handled in the country for decades.
Before this disclosure, the country’s data collection system was of concern, especially the uncoordinated collection and storage method. Besides the electoral body, which does it periodically, newly elected governments start their own data collection exercise without bothering to find out what is already in place. Even worse, banks and telecommunication service providers often always take information from Nigerians almost on a whim.
This prompted calls for a centralised data collection and storage system, a quest still in the making. However, it took the embarrassing revelation that the National Identification Numbers (NIN) slip of Nigeria’s number one data regulator, the Minister of Communications, Innovation, and Digital Economy, Dr Bosun Tijani, was bought for a paltry N100 for all hell to break loose.
This scenario brought to the fore the inevitable concern about the quality of data protection in the country. What’s worse, this allegation directly targets the legal custodian of public data.
Paradigm Initiative asked the latest question about data protection, raising the alarm after uncovering instances where NINs, Bank Verification Numbers (BVNs), and other sensitive personal information were purportedly available for sale online, citing direct extraction from government databases. The organisation’s executive director, Gbenga Sesan, further disclosed that the data sold on the websites were sourced directly from government’s databases.
National Identity Management Commission (NIMC), the statutory organisation that operates Nigeria’s national identity management system, refuted allegations of any security breaches within its database, maintaining that it implements stringent cybersecurity measures to safeguard the integrity of Nigeria’s national identity database. The commission also warned Nigerians to avoid sharing their data with fraudulent websites.
NIMC emphasised that it has not authorised any website or entity to sell or misuse the National Identification Number (NIN) or any other identity information. In our opinion, NIMC’s position that data were sourced from sites other than its platform contradicts the findings of the Paradigm Initiative. Regardless, what is clear is that Nigeria is a hotbed of data stealing and poor protection, indicating that something isn’t right.
A study by cybersecurity firm Surfshark put data breaches in Nigeria at 64 per cent, a “surge in breach incidents during the first quarter of 2023,” the report said. Surfshark’s analysis further ranked Nigeria as the 32nd most breached country worldwide from January to March 2023 (Q1’2023), underscoring the region’s urgent need for enhanced cybersecurity measures. It further added that in Q1 2023 alone, 82,000 accounts were compromised in Nigeria, representing a significant 46 per cent increase compared to the previous quarter (Q4 2022). The study, however, didn’t indicate that the breaches resulted from direct extraction from government databases.
The nation must not underestimate the implications of this situation. The sale of personal data, including NINs and Bank Verification Numbers (BVNs), online poses significant risks to individuals and the economy. Such breaches result from identity theft, financial fraud, and other malicious activities.
However, we are encouraged by the minister’s actions so far. His statement that an investigation has commenced into the alleged data leak and his assurance that prompt action will be taken to check the disturbing trend is reassuring for now.
While the investigation is ongoing, we consider the hint at the vulnerabilities in government databases and the potential for unauthorised access disturbing. The perception that data in the government’s custody are unsafe is, to say the least, sacrilegious. For this reason, nothing short of a robust, detailed and patriotic investigation should be conducted over this huge allegation. This cannot be treated as business as usual.
While we call for restraint in making hasty accusations and labelling, we expect the essence of the Nigeria Data Protection Act, 2023, to take precedence. Nigerians and the international community must be assured that data entrusted to the government by individuals and corporate entities are safe.
Pending the outcome of the investigation, however, this alleged NIN data leak serves as a wake-up call for the government to reprioritise data security to protect citizens’ personal information.
The importance of a robust Digital Public Infrastructure (DPI) and streamlined data exchange protocols across government agencies cannot be overstated. This faux pas could revolve around a false sense of cybersecurity expertise, loopholes in data protection laws, corruption and insider threats, inadequate funding, and an overreliance on technology.
It is a good thing that the Nigeria Data Protection Commission (NDPC) said early this year that it is investigating 17 major cases of data breaches across various sectors, including finance, technology, education, consulting, government, logistics, and gaming/lottery. We believe that continuous interface and increased checks need to be done in the private sector. Perhaps this allegation offers a broader introspection into how organisations across sectors, for whatever reason, require data to provide services.
Implementing data compliance mechanisms is a crucial step towards enhancing cybersecurity resilience. In an era of Artificial Intelligence and machine learning, we need to start rethinking and retooling our data protection systems to keep up with the times.