A circular issued by the National Identity Management Commission (NIMC) to its verification service agents has exposed the private data of over 100 million to unlicensed entities and profiteers, according to a report by The Cable.
The whistle was first blown in a report by the Foundation for Investigative Journalism (FIJ) which said XpressVerify, an unregistered verification agent, had unrestricted access to the national identification numbers (NINs) and personal details of every Nigerian registered in the nation’s identity database managed by NIMC.
XpressVerify monetises access to NINs and the personal information of Nigerians on the database.
But in her reaction, Abisoye Coker-Odusote, the director-general and CEO of NIMC, said the commission only offers NIN verification and other services through licensed partners.
She ordered a comprehensive investigation “to find out if any of the Commission’s Tokenisation verification
agents has in any way breached the licensing agreement either directly or
through any of their sub-licensees”.
However, her response was a smokescreen, according to insiders at the commission.
According to the report, a recent directive by the NIMC reinstating the NIN verification service (NVS) opened the door to unlicensed and unauthorised parties to gain unfettered access to the database of all Nigerians captured on NIN.
There are suggestions that the profiteering entities have links to some NIMC staff members.
THE GENESIS
In 2012, the NIMC developed the NVS to grant verification agents access to the information stored on the database as may be demanded by Nigerians.
But following an audit by the World Bank in 2017, it was discovered that there were several vulnerabilities in the NVS and there was a need for stricter audit controls, transparency and protection of personal information.
It was discovered that a licensed agent could create its own application programming interface (API) calls and provide services to “sub agent” — unknown to NIMC.
The sub agent could use the API by the licensed agent to pull information from the NVS — also unknown to NIMC which would only see its licensed agent’s credentials making the request, whereas the data would end up elsewhere.
Licensed agents charged the sub agents for the service without remitting proceeds to NIMC under the pretext that the business was not viable — but at the same time asking clients to pay between N50 and N500 and claiming the money was meant for the NIMC.
The sub agent, realising how lucrative the business is, would also create its own API and grant access to a “sub sub agent”. It is now thought that XpressVerify is a “sub sub agent”.
As a result of these vulnerabilities, the NVS was shut down by NIMC in 2017.
THE REVERSAL
In 2023, President Bola Tinubu appointed Coker-Odusote as the new DG of the NIMC, following which some officials of the commission persuaded her to reopen the old, vulnerable NVS.
She was allegedly told that it only required “a more robust hardware upgrade” but that all was well with the service.
On February 26, 2024, Carolyn Folami, a director and head, business development and commercial services, issued a circular to its verification service agents to restore the NVS.
“Kindly be informed that the NIMC, in a renewed commitment towards enlarging the use of the NIN for verification services across all industry, has reopened the NVS for your organizations’ use for verification services,” she wrote, in a document seen by TheCable.
“Also note that NIMC is working on an upgrade and further improvements on the NIN Pseudonymization verification services as well, which will be duly communicated.
“Please contact the Business Development and Commercial Services department of the NIMC for renewed credentials and further support services. In addition, do provide the contact email and phone number of your organization’s team lead for the exercise.
“The foregoing is for your information and necessary action.”
An official of the commission who declined to be named for fear of victimisation said this was the root cause of the data breach.
“That memo and the directive contained in it effectively reversed all the security measures put in place in creating the NVS. It is like opening the bank vault for the public to have a free run on the cash,” the official said.
“With the roll-back to the NVS, it means anyone who has a verification licence and a NIN can query data with or without consent.
“All the reports listed about data vulnerabilities are a cover-up. It will be wise to conclude that the current CEO has no clue what she’s doing as she’s listening to folks only interested in their pockets.
“Otherwise, such a memo would never have been issued. Bottom line is NIMC does not permit any raw NIN verification. The tokenisation is user consent management. Without the ID holder providing their explicit consent, you can’t get the data. And you have to ask first and be given a virtual NIN (vNIN) which is the consent token.
“I can assure you that there are very minimal controls in place. The staff at the NIMC are the developers of the NVS solution and some created a few backdoors for themselves as there is no visibility beyond what they wish for anyone to see.”
TheCable was told that there is a quick fix if the government is ready to act to protect the private data of Nigerians, which is a legal right and not a privilege.
The first action, it is suggested, is the immediate shutdown of the NVS.
“Thereafter, all licensed agents should be made to sign a declaration of conformity: that they have purged all their databases of any and all personal information of NIN holders and BVN holders); that they will implement very strong data privacy initiatives, which will include but not be limited to the implementation of transparent data encryption at rest and in transit; that they will subject themselves to random external audits of their systems and agree to pay a fine where they may have been found to be in breach of the Nigerian Data Privacy Act,” an industry expert said.
He also said NIMC should authorise snap audits by forensic auditors of all verification entities and ensure that every time a person’s identity is required to be verified, the ID holder will provide electronic user consent which may be used once “and once only”.
“The commission should review security controls and provide unfettered visibility of all verification agents, by the clandestine services and functional regulators,” he suggested, adding that no raw NIN (11-digit number) should be sought or obtained by any verification entity.
“In order to protect the NIN, the ID holder should provide a user consent token (or vNIN) which will provide both one time user consent, meet the NIMC Act 2007 requirements for provision of the NIN, as well as protect the raw NIN from abuse and identity theft.
“NIMC should ensure that the ID holder has full access to all information about how their NIN has been used, how it has been verified, by whom and when, and details of all functional tokens linked to the NIN, such as health insurance, drivers’ licence and even passports, without having to provide the functional information, such as bank account numbers, passport numbers and so on.”
On Sunday night, NIMC and the Nigerian Communications Commission (NCC) issued a joint statement promising to work together on the NIN-SIM link exercise.