A recent report by TheCable revealed that a circular issued by the National Identity Management Commission (NIMC) to its verification service agents compromised the sensitive information of over 100 million Nigerians to unlicensed parties and profiteers.
This came in the wake of an alert report by the Foundation for Investigative Journalism (FIJ), which revealed that a private website, XpressVerify.com, had access to the National Identification Numbers (NINs) and personal details of Nigerians, which goes against the law. It also revealed that XpressVerify monetises access to NINs and Nigerians’ personal information in the database.
Following this revelation by FIJ, Abisoye Coker-Odusote, the director-general and CEO of NIMC, issued a statement clarifying that the commission offers NIN verification services through licensed partners, distancing itself from XpressVerify and launching an investigation into the breach.
However, the report by TheCable disclosed that NIMC itself compromised the system, allowing unlicensed parties access to NIN data.
The report highlighted that the NIN Verification Service (NVS), initiated by NIMC in 2012, had vulnerabilities following an audit by the World Bank in 2017.
The audit findings revealed a need to implement strict audit controls, ensuring transparency and safeguarding personal information. This was prompted by the discovery that licensed agents could establish their application programming interface (API) clandestinely, providing services to subagents without the knowledge of the National Identity Management Commission (NIMC).
These subagents, in turn, could access information from the NVS without the NIMC’s oversight. Exploiting this loophole, licensed agents profited by charging subagents for services rendered yet failing to remit the proceeds to the NIMC. These charges typically ranged from N50 to N500.
With the expansion of this business model, subagents began registering additional subagents, compounding the issue.
Following the discovery of these vulnerabilities during the audit, the NIMC took the decisive step of shutting down the NVS in 2017.
However, in 2023, President Bola Tinubu appointed Coker-Odusote to lead the NIMC, and certain officials urged her to reopen the NVS despite its known flaws.
On February 26, 2024, Carolyn Folami, the director and head of business development and commercial services, issued a circular instructing verification service agents to reinstate the NVS.
The circular read:
Kindly be informed that the NIMC, in a renewed commitment towards enlarging the use of the NIN for verification services across all industries, has reopened the NVS for your organisations’ use for verification services
Also note that NIMC is working on an upgrade and further improvements on the NIN Pseudonymisation verification services as well, which will be duly communicated.
Please contact the Business Development and Commercial Services department of the NIMC for renewed credentials and further support services. In addition, do provide the contact email and phone number of your organisation’s team lead for the exercise. The foregoing is for your information and necessary action.
This move disregarded security measures, according to an unnamed NIMC staff member quoted by the newspaper, who criticised the Coker-Odusote’s decisions and the lack of controls in place, saying:
That memo and the directive contained in it effectively reversed all the security measures put in place in creating the NVS. It is like opening a bank vault for the public to have a free run on the cash.
With the rollback to the NVS, it means anyone who has a verification licence and a NIN can query data with or without consent.
All the reports listed about data vulnerabilities are a cover-up. It would be wise to conclude that the current CEO has no clue what she’s doing, as she’s listening to folks only interested in their pockets.
Otherwise, such a memo would never have been issued. The bottom line is that NIMC does not permit any raw NIN verification. The tokenisation is user consent management. Without the ID holder providing their explicit consent, you can’t get the data. And you have to ask first and be given a virtual NIN (vNIN), which is the consent token.
I can assure you that there are very minimal controls in place. The staff at the NIMC are the developers of the NVS solution, and some created a few backdoors for themselves as there is no visibility beyond what they wish for anyone to see.
Read: Release me and there will be peace in South-East — Nnamdi Kanu