Data breach: Implications of websites selling citizen’s NIN, BVN details for ₦100

In a troubling revelation, Paradigm Initiative (PI) has uncovered a data breach and several unauthorised websites are selling…

Data breach: Implications of websites selling citizen’s NIN, BVN details for ₦100

ARE YOU TIRED OF LOW SALES TODAY?

Connect to more customers on doacWeb

Post your business here..... from NGN1,000

WhatsApp: 09031633831

ARE YOU TIRED OF LOW SALES TODAY?

Connect to more customers on doacWeb

Post your business here..... from NGN1,000

WhatsApp: 09031633831

ARE YOU TIRED OF LOW SALES TODAY?

Connect to more customers on doacWeb

Post your business here..... from NGN1,000

WhatsApp: 09031633831

In a troubling revelation, Paradigm Initiative (PI) has uncovered a data breach and several unauthorised websites are selling sensitive personal and financial data of Nigerian citizens for as little as ₦100.

PI refers to an investigative report by the Foundation for Investigative Journalism (FIJ) Nigeria on March 16, 2024, titled “ALERT: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and Is Making Money From It.”

The report detailed how the website, www.XpressVerify.com.ng, was accessing and commercialising the personal data of Nigerian citizens for profit.

Anybody can retrieve details such as phone numbers, full names, NIN, addresses and photographs of any Nigerian whose data is on the National Identity Database for as low as ₦200.

FIJ, in the report in March

PI also reports about another website, AnyVerify.com.ng, operating since November 2023, involved in the commercial distribution of personal data.

The site offers a range of services, including access to National Identity Numbers (NIN), Bank Verification Numbers (BVN), driving licenses, international passports, company details, Tax Identification Numbers (TIN), Permanent Voter’s Cards (PVC), and phone numbers.

AnyVerify writes on its website: AnyVerify helps you to quickly and simply achieve that at the speed of light! using various methods such as NIN, BVN, Voters card, international passport, driving license etc.

According to PI, each data request is sold for ₦100, and the website recorded 567,990 visits in February 2024 and 188,360 visits in April 2024, highlighting the extensive nature of this breach.

Given the gravity of the situation, Paradigm Initiative has stated it has served a pre-action notice to several government agencies, including the National Identity Management Commission (NIMC), Nigeria Data Protection Commission (NDPC), Nigeria Immigration Service (NIS), Federal Inland Revenue Service (FIRS), Central Bank of Nigeria (CBN), Independent National Electoral Commission (INEC), Federal Road Safety Corps (FRSC), and the Office of the Attorney General of the Federation (AGF).

What are the implications of the data breach?

A data breach in Nigeria can have profound and multifaceted consequences, affecting individuals, businesses, and the government.

These breaches raise significant privacy and security concerns as they expose sensitive personal information, such as names, addresses, phone numbers, financial details, and medical records.

The compromise of such data not only undermines the privacy of individuals but also makes them vulnerable to identity theft and fraud.

Economically, the ramifications of a data breach are substantial. Individuals may face financial losses due to fraudulent activities conducted with their stolen information. Large-scale breaches can disrupt economic activities, particularly if they impact critical sectors such as banking, healthcare, and government services.

In Nigeria, data breaches, particularly involving data owned and accumulated by government agencies, are governed primarily by the Nigeria Data Protection Regulation (NDPR) 2019. The NDPR, enforced by the National Information Technology Development Agency (NITDA), outlines the obligations of data controllers and processors, and the implications of data breaches:

Fines and penalties:
  • Financial penalties: Organisations, including government agencies, can be fined up to 2% of their annual gross revenue or 10 million Naira, whichever is greater, for breaching personal data. This applies particularly if the breach affects more than 10,000 data subjects.
  • Additional fines: If fewer than 10,000 data subjects are affected, the penalty can be up to 1% of the annual gross revenue or 2 million Naira, whichever is greater.
Nigeria Data Protection Regulation (NDPR) 2019 against data breach
Nigeria Data Protection Regulation (NDPR) against data breach
Notification obligations:
  • Data breach notification: Data controllers must notify NITDA within 72 hours of becoming aware of a data breach. This notification must include details about the breach, the categories and approximate number of data subjects and data records concerned, and the potential consequences of the breach.
  • Communication to data subjects: If the data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must inform the affected data subjects without undue delay.
Administrative and legal consequences:
  • Investigation and compliance checks: NITDA has the authority to investigate data breaches and conduct compliance checks on organisations. Failure to comply with the NDPR can lead to further administrative actions.
  • Legal proceedings: Affected individuals have the right to seek legal recourse for damages resulting from a data breach. This can lead to additional financial liabilities for the government agency involved.
Reputational damage:
    • Public Trust: Data breaches can severely impact the trust that citizens place in government agencies. This can lead to reputational damage, loss of credibility, and diminished public confidence.
    • Transparency and accountability: Government agencies are expected to adhere to higher standards of transparency and accountability. A data breach can highlight deficiencies in these areas, prompting public scrutiny and calls for reform.
    Operational impact:
      • Disruption of services: Data breaches can disrupt the operations of government agencies, leading to service interruptions and operational inefficiencies.
      • Data security enhancements: Post-breach, agencies may need to invest significantly in enhancing their data security measures, conducting audits, and implementing stricter compliance protocols.
      Legal framework and enforcement
      • NITDA’s Role: NITDA is responsible for enforcing the NDPR and ensuring compliance by private and public sector entities. It provides guidelines, conducts audits, and imposes penalties for non-compliance.
      • Collaboration with other agencies: NITDA collaborates with other regulatory bodies, such as the Central Bank of Nigeria (CBN) for financial institutions, to ensure a comprehensive approach to data protection.

      What's Your Reaction?

      like

      dislike

      love

      funny

      angry

      sad

      wow