A cyber security expert explained that while the data of unsuspecting visitors to certain sites could be easily harvested, it is impossible to obtain a large volume of data through phishing alone.
The National Identity Management Commission (NIMC) says the data of Nigerians "has not been compromised" despite controversial websites like anyverify.com selling such data which NIMC and other government-authorised agencies collected.
An investigation by a digital social enterprise, Paradigm Initiative, detailed how the website provided access to the private information of Nigerians for a token.
"This alarming development presents a major breach of the fundamental rights to privacy, a breach of data privacy rights and poses significant risks to individuals and the national economy," Paradigm Initiative wrote on X.
In its response to the apparent data breach, NIMC, which issues the national identity number and handles Nigeria's national database, blamed the violation on the carelessness of Nigerians who upload their personal data to such websites.
"NIMC advises Nigerians to avoid giving their data to unauthorised and phishing sites. This poses the danger of data harvesting.
"NIMC urges the public to disregard any claims or services these websites offer and should not give their data as they are potentially fraudulent and data provided by the public on such websites are gathered and stored to build the data services they illegally provide," NIMC wrote in a Saturday statement by its Head of Corporate Communications, Kayode Adegoke.
AnyVerify.com.ng has since gone offline, although Paradigm Initiative says it archived all the information on the website.
Experts weigh in
Cyber security experts say NIMC may be wrong on its stand that visitation of rogue websites is the sole reason for the data breach.
In an interview with PREMIUM TIMES, a cyber security expert, Oluwafemi Obadare, stated that the likely situation is that authorised partners compromised NIMC's database.
Mr Obadare explained that while the data of unsuspecting visitors to certain sites can be easily harvested, it is impossible to obtain a large volume of data through phishing alone.
"In as much as it is possible for websites to harvest data of users based on what some users posted and put on the internet, getting that volume of data can't be from just data harvesting alone," he explained.
"My assumption is that it is likely there is a gap from any of the authorised partners that have legitimate access to these confidential data," he added.
For years, Nigeria has grappled with the issue of data security and data breaches.
Earlier in the year, the National Commissioner, the Nigerian Data Protection Commission (NDPC), Vincent Olatunji, confirmed that the commission was investigating 17 major cases of data breaches and violations in the country.
For Adedeji Adedoyin, another cyber security expert, the problem of illegal access and sale of private data of Nigerians is a very serious situation with dire consequences for Nigeria's national security.
"The exposure of our national database from NIMC to illegal data merchants on the open web is a clear breach of national security and puts innocent citizens at a global risk.
"This incident is not just a technical failure; it represents a significant lapse in safeguarding the personal information of millions of innocent Nigerians," he stated.
Strengthening data laws
The 1999 constitution (as amended) recognises privacy as a fundamental human right and guarantees the protection of citizens, their homes, correspondence, telephone conversations and telegraphic communications.
This birthed the enactment of the Nigerian Data Protection Act (NTDA) 2023 and the establishment of the Nigeria Data Protection Commission. Among other things, the commission is responsible for regulating the deployment of technology and organisational measures to facilitate data protection.
The NTDA provides guidelines on the management of personal data to institutions and agencies of government, such as the National Identity Management Commission, which handles the national database of Nigerians.
Section 26 (1) of the National Identity Management Commission Act 2007 makes it unlawful for the commission to give out information about Nigerians contained in the database except for reasons bothering National security.
"No person or body corporate shall have access to the data or information contained in the Database with respect to a registered individual entry except with the authorisation of the Commission and only if: (a) an application for the provision of the information to that person is made by or with the authority of that individual; or (b) that individual otherwise consents to the provision of that information to that person," the Act stated.
Mr Adedoyin believes the government should enact stronger data laws and hold both private and public institutions accountable for incidents like these.
"Government urgently needs to strengthen data protection protocols, create a more formidable cyber defence network, rapidly improve cyber response and embark on a national citizen awareness to help citizens better understand how to protect themselves," he said.