The National Identity Management Commission (NIMC) issued a circular to its verification service agents, exposing the private data of over 100 million people to unlicensed entities and profiteers, according to TheCable.
The Foundation for Investigative Journalism (FIJ) first blew the whistle, reporting that XpressVerify, an unregistered verification agent, had unrestricted access to the national identification numbers (NINs) and personal information of every Nigerian registered in the country’s identity database, which is managed by NIMC.
XpressVerify monetizes access to NINs and Nigerians’ personal information in the database.
However, Abisoye Coker-Odusote, NIMC‘s director-general and CEO, responded by stating that the commission only provides NIN verification and other services through licenced partners.
She requested an in-depth investigation “to find out if any of the Commission’s Tokenisation verification agents has in any way breached the licencing agreement either directly or through any of their sub-licensees”.
However, insiders at the commission say her response was a smokescreen.
According to TheCable, the NIMC’s recent directive to reinstate the NIN verification service (NVS) has allowed unlicensed and unauthorised parties to gain unrestricted access to the database of all Nigerians captured on NIN.
There are suggestions that the profiteering entities have ties to some NIMC employees.
How dubious verification agents access data
The NIMC created the NVS in 2012 to provide verification agents with access to information stored in the database as requested by Nigerians.
However, following an audit by the World Bank in 2017, it was discovered that there were several vulnerabilities in the NVS and there was a need for stricter audit controls, transparency and protection of personal information.
It was discovered that a licensed agent could create its application programming interface (API) calls and provide services to a “sub-agent” — unknown to NIMC.
The sub-agent could use the API by the licensed agent to pull information from the NVS — also unknown to NIMC which would only see its licensed agent’s credentials making the request, whereas the data would end up elsewhere.
Licensed agents charged the sub-agents for the service without remitting proceeds to NIMC under the pretext that the business was not viable — but at the same time asking clients to pay between N50 and N500 and claiming the money was meant for the NIMC.
The sub-agent, realising how lucrative the business is, would also create its own API and grant access to a “sub-sub-agent”. It is now thought that XpressVerify is a “sub-sub-agent”.
As a result of these vulnerabilities, the NVS was shut down by NIMC in 2017.
In 2023, President Bola Tinubu appointed Coker-Odusote as the new DG of the NIMC, following which some officials of the commission persuaded her to reopen the old, vulnerable NVS.
She was allegedly told that it only required “a more robust hardware upgrade” but that all was well with the service.
On February 26, 2024, Carolyn Folami, a director and head, of business development and commercial services, issued a circular to its verification service agents to restore the NVS.
She wrote, in a document seen by TheCable:
“Kindly be informed that the NIMC, in a renewed commitment towards enlarging the use of the NIN for verification services across all industries, has reopened the NVS for your organizations’ use for verification services.”
“Also note that NIMC is working on an upgrade and further improvements on the NIN Pseudonymization verification services as well, which will be duly communicated.
“Please contact the Business Development and Commercial Services department of the NIMC for renewed credentials and further support services. In addition, do provide the contact email and phone number of your organization’s team lead for the exercise.
“The foregoing is for your information and necessary action.”
An official of the commission who declined to be named for fear of victimisation said this was the root cause of the data breach.
The official said:
“That memo and the directive contained in it effectively reversed all the security measures put in place in creating the NVS. It is like opening the bank vault for the public to have a free run on the cash.”
“With the roll-back to the NVS, it means anyone who has a verification licence and an NIN can query data with or without consent.
“All the reports listed about data vulnerabilities are a cover-up. It would be wise to conclude that the current CEO has no clue what she’s doing as she’s listening to folks only interested in their pockets.
“Otherwise, such a memo would never have been issued. The bottom line is that NIMC does not permit any raw NIN verification. The tokenisation is user consent management. Without the ID holder providing their explicit consent, you can’t get the data. You have to ask first and be given a virtual NIN (VIN) which is the consent token.
“I can assure you that there are very minimal controls in place. The staff at the NIMC are the developers of the NVS solution and some created a few backdoors for themselves as there is no visibility beyond what they wish for anyone to see.”