5 hours ago
3 ARTICLE AD
As Nigeria embraces the digital age, the adoption of online services has transformed how citizens interact with both public and private institutions. From banking to healthcare, e-commerce to education, digital platforms now form the backbone of daily life for millions, as more individuals and businesses migrate online.
However, this evolution has exposed a glaring vulnerability: the safety of personal data. With reports of data breaches, identity theft, and cyberattacks becoming increasingly common, the very systems designed to facilitate convenience are now being exploited to compromise the privacy and security of Nigerians.
Cybercrime in Nigeria is no longer a distant threat; it has become a pervasive menace that has infiltrated every sector. Personal data, including names, addresses, bank details, and even biometric information, is at risk of being traded on underground markets, putting the identity and financial well-being of millions in jeopardy.
Digital transformation
Nigeria’s digital economy has grown exponentially over the past decade. According to the Nigerian Communications Commission, internet penetration in the country stood at 47.36 per cent as of mid-2023, with over 92 million active internet users.
The government has also pushed for the digitisation of services, with initiatives like the National Identity Management System and the cashless policy encouraging citizens to engage with online platforms. This is a commendable move, but how safe is this data?
While this shift has brought convenience and improved accessibility, it has also created fertile ground for cybercriminals. The increased reliance on digital platforms means that vast amounts of sensitive personal data are stored online, often without adequate protection. Hackers exploit these vulnerabilities, using sophisticated methods such as phishing, malware, and social engineering to gain access to personal information.
In many cases, the targets remain unaware of the breach until the damage has already been done. Although the Deputy Director/Head, Strategy and Programme Office at the National Identity Management Commission, Dr Alvan Ikoku, stressed in a presentation on December 4 at the Digital Public Infrastructure Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop that the commission’s databank is safe, some Nigerians remain sceptical.
For instance, a senior tech consultant based in Lagos, Ogochukwu Michael, claimed that hackers, who are always on the prowl for information, may have access to these safe banks through third-party affiliations and may steal this data.
“We need more than assurances. We’ve seen it happen before, where data is stolen, especially from third-party or verification agencies, and not much is being done. It’s no longer just a NIMC issue. Nigerians need to be sure that the data they provide to any government agency for registration and/or verification is safe,” Michael stressed.
In his presentation, titled “Nigeria’s Identity Management System: The Journey So Far, Challenges and Projects,” Ikoku noted that the approach used by NIMC was an ecosystem approach.
This approach, according to the director, is a government-led initiative aimed at collecting biometric data nationwide in one go, coordinating efforts to eliminate duplicative data collection, and reducing both cost and time. It also leverages the existing ecosystem of government agencies and the private sector. The process involves NIMC facilities collecting biometric data, its partners gathering data and being paid per successful enrollment, and NIMC storing the data to provide a unique identity for every Nigerian.
He emphasized that the benefits are enormous, and the database and repository are secure. As of November 5, 2024, the system had collected data from over 115 million Nigerians.
He further stated that a well-developed digital identification programme would support the Federal Government’s development agenda and facilitate key government services such as safety nets, financial inclusion, security, and agriculture.
A market for stolen identities
In June 2024, Paradigm Initiative, a digital rights advocacy group, uncovered a shocking revelation: personal data of Nigerians, including their financial details and National Identification Numbers, were being sold online for as little as N100. These data dumps were hosted on websites operating outside Nigeria’s jurisdiction, making it difficult to shut them down or track the perpetrators.
Such breaches are not isolated incidents. In April 2023, allegations surfaced that the database of the National Identity Management Commission had been compromised. While NIMC denied these claims, cybersecurity experts pointed out that Nigeria’s lack of a robust data protection infrastructure made such breaches not only possible but inevitable.
The implication is clear: Nigeria’s digital environment has become a lucrative hunting ground for hackers, with ordinary Nigerians bearing the brunt of these attacks as their identities are commodified.
Real-life consequences
The impact of identity theft and data breaches is both personal and systemic. Victims often suffer financial losses, reputational damage, and emotional distress. For instance, in 2023, a Lagos-based civil servant reported losing over N3 million to a fraudulent bank transaction. Investigations revealed that the fraudsters had obtained her bank details through a phishing email disguised as legitimate communication from her bank.
In January 2023, Chiamaka Agim, a Lagos-based woman who claimed to be a former employee of a Tier-one bank, lamented how over N4 million was ‘fraudulently’ debited from her account on January 9 of the same year without her authorisation. It took the bank several weeks to resolve the issue after much ado.
Jonah Chukwudi, a sales representative with a phone accessories company based in Ikeja, Lagos, shared his experience of being impersonated by another person on social media. His phone number, email address, and other confidential details, which he claimed not to have shared with anyone, were used to perpetrate the crime.
“I was so shocked when I learnt of it. It was distressing. I wondered how they got hold of such information about me because I am not one to put personal data of myself out there. When we investigated, we learned that these guys buy this data from hackers who fraudulently harvest it from authorised websites,” he said.
Healthcare data breaches have also been reported. In one case, hackers accessed the medical records of patients in a private hospital in Abuja, threatening to publish sensitive information unless a ransom was paid.
A renowned private school in Nigeria had its website seized by hackers, who hoisted pornographic content. The data of the students was also used as leverage to demand a ransom. It is unclear whether a ransom was paid for the website to be retrieved, but it is clear that students’ data were compromised.
In 2023, a phishing attack targeted multiple Nigerian banks, resulting in the theft of millions of naira from customer accounts. Investigations revealed that the hackers had exploited weak authentication protocols.
Such incidents highlight the multifaceted nature of the threat: it is not just about money but also about the misuse of personal information for blackmail, impersonation, and other malicious activities.
On a broader scale, data breaches erode trust in digital systems, deterring citizens from adopting online services. This hesitancy undermines Nigeria’s digital transformation agenda, slowing economic growth and innovation.
Why is Nigeria vulnerable?
Several factors contribute to Nigeria’s susceptibility to data breaches and identity theft. Experts have noted weak legal frameworks, poor cybersecurity practices, low public awareness, and high Internet penetration without cyber literacy, amongst others.
For instance, the tech expert Michael noted that the Nigeria Data Protection Regulation, enacted in 2019 and updated in 2024, is the country’s primary legal framework for data protection. However, its enforcement has been inconsistent, and penalties for violations are often insufficient to deter offenders.
In 2023, for example, a commercial bank was fined N200 million for a data breach—an amount that pales in comparison to the potential revenue generated by mishandling customer data.
Michael also pointed out that many organisations in Nigeria lack the infrastructure and expertise to implement robust cybersecurity measures. “Most operate on outdated software, weak passwords, and inadequate encryption, which are common vulnerabilities that hackers exploit,” he added.
An ethical hacker working in a hacking centre in Lagos, Tunji Alade-Ade, highlighted that a significant portion of the population is unaware of the risks associated with sharing personal information online. “Scams such as phishing emails and fake investment schemes often succeed because victims do not recognise the warning signs,” he said.
According to him, while internet use is growing, cyber literacy has not kept pace. This gap, he believes, leaves many Nigerians ill-equipped to protect themselves against cyber threats.
He also added, “Many cybercriminals operate outside Nigeria, exploiting the lack of international collaboration in cybersecurity enforcement. This makes it difficult to track and prosecute offenders.”
Broader implications
Data breaches and identity theft have far-reaching consequences for Nigeria’s economy and national security. Financial institutions bear the brunt of these attacks, with the Central Bank of Nigeria estimating that cybercrime costs the country over $500 million annually. This figure does not account for the indirect costs, such as reduced consumer confidence and increased regulatory scrutiny.
From a security perspective, the misuse of stolen identities presents a significant threat. Terrorist organisations and criminal networks have been known to use fake identities to evade law enforcement. In one chilling example, a fake identity created using stolen data was linked to a high-profile arms smuggling case in 2022.
Paradigm vs NIMC
In March 2024, the Foundation for Investigative Journalism reported that a private website, XpressVerify.com.ng, was selling Nigerians’ personal data for as little as N100. This revelation indicated a severe lapse in data protection mechanisms. Although the website was swiftly taken down, the incident prompted further investigations by PIN.
Their research uncovered another platform, AnyVerify.com.ng, which had been operating since November 2023, offering services that included access to NIN, BVNs, driving licences, international passports, and more—all for a nominal fee.
Notably, AnyVerify.com.ng recorded approximately 567,990 visits in February 2024 and 188,360 visits in April 2024, highlighting the extensive reach of this data breach.
In response to these breaches, PIN, through Vindich Legal Law Firm, filed a public interest lawsuit at the Federal High Court in Abuja.
The suit named nine respondents: NIMC, the CBN, Nigeria Inter-Bank Settlement Systems PLC, Nigeria Immigration Service, Federal Inland Revenue Service, Federal Road Safety Corps, Independent National Electoral Commission, Nigeria Data Protection Commission, and the Attorney General of the Federation.
PIN sought several declarations and orders, including a comprehensive investigation into the breaches, cessation of further data processing by the implicated entities pending the investigation’s outcome, and the publication of remedial actions taken to prevent future occurrences.
The group’s Executive Director, Gbenga Sesan, disclosed on Wednesday during a press conference in Lagos that the NIMC now had the opportunity to prove to Nigerians whether a data breach occurred or not.
He revealed that the case had been filed at the Federal High Court in Abuja, with the hearing scheduled for January 22, 2025. The lawsuit stems from reports earlier this year alleging that sensitive data belonging to millions of Nigerians was being sold online.
Despite NIMC’s public denial of the breach, Paradigm Initiative’s internal investigations uncovered vulnerabilities in the commission’s systems months after the initial claims, Sesan stated.
“There were claims that data belonging to millions of Nigerians was being sold on the dark web. This raised concerns because the figures exceeded Nigeria’s population, suggesting massive duplication or unauthorised access to sensitive information across multiple platforms,” Sesan explained.
He further noted that, although NIMC assured the public in April that the breach had been resolved, Paradigm Initiative discovered in June that a new platform was being used to sell Nigerians’ data.
“This discovery highlights a failure to address the root cause of the issue,” he added.
Sesan also disclosed that the organisation purchased personal data belonging to senior government officials, including the Minister of Communications and Digital Economy and NIMC’s Director General, to demonstrate the ongoing nature of the breaches.
“This wasn’t an easy decision, but it was necessary to get the attention of authorities who have failed to act on previous reports. If they won’t protect the data of ordinary Nigerians, maybe they’ll care when it’s their own data being sold,” Sesan stated.
Despite this glaring evidence, NIMC publicly denied any breaches of its database, asserting that the NIN data of Nigerians remained secure and uncompromised.
NIN suffers 18% attempted fraud rate
A 2024 Digital Identity Fraud in Africa Report by Smile ID has revealed that National Identification cards are the most attacked document type in the region.
The report stated that, in West Africa, most fraudulent documents were identified due to failed security features, highlighting the significant presence of counterfeit identification documents.
With the economy struggling to remain afloat, telecommunications operators have advocated for policies that can foster innovation and investments.
According to the report, in the last two years, an overwhelming number of attacks were directed at National ID cards, accounting for 80 per cent of all document fraud attacks in the region.
The report noted that 11 out of the top 19 most attacked document types were also national IDs, with the Kenyan ID being the most vulnerable, showing a 26 per cent fraud rate.
On the list, Nigeria’s National ID, the NIN, suffered an 18 per cent attack.
The security around the NIN has come under serious scrutiny in the last seven months. It was alleged that there were compromises from some front-end partners, leading to data breaches, including that of the Minister of Communications, Innovation and Digital Economy, Dr Bosun Tijani, whose NIN was reportedly bought at ridiculous prices—a development NIMC denied.
The data showed that, on a year-on-year basis, the Q3 2024 capital importation for the telecoms sector represented a 77 per cent decline compared to the $64.05 million recorded in the same period last year.
However, despite the challenge, the President of ATCON, Tony Emoekpere, stated at the 31st Anniversary Dinner that the body and its members remain committed to ensuring Nigeria stays competitive within the global community.
Emoekpere emphasised that ATCON would continue to advocate for policies that promote innovation and investment, drive infrastructure development to bridge connectivity gaps, and foster collaboration between the public and private sectors to position Nigeria as a leading digital economy in Africa.
Securing Nigeria’s digital future
Data democrats and tech experts have noted that addressing the issue of data breaches and identity theft requires a comprehensive and coordinated effort.
They noted that strengthening Nigeria’s legal frameworks is a crucial first step.
For instance, Alade-Ade noted that the Nigerian Data Protection Regulation should be revised to include stricter penalties for data breaches.
“Empowering the Data Protection Agency with enforcement powers can further ensure compliance and accountability in safeguarding personal information.
“Equally important is the improvement of cybersecurity infrastructure across organisations. Businesses and institutions must invest in modern cybersecurity tools and practices, such as advanced encryption, multi-factor authentication, and regular security audits. These measures will fortify defences against cyber threats and reduce vulnerabilities in digital systems,” he said.
He also highlighted the importance of public awareness in combating cyber risks.
“Cybercrime is a global issue, and Nigeria must collaborate with international partners to address it effectively. By working with global organisations, the country can track and prosecute cybercriminals operating across borders, sharing intelligence and resources to tackle this growing threat,” he added.
He further advocated for transparency in incident reporting.
“Organisations must be mandated to report data breaches promptly, enabling authorities to respond swiftly and mitigate potential damage. This openness will not only protect victims but also build public trust in the digital ecosystem,” he noted.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
