By Rakiya A.Muhammad
The activities of unauthorised platforms holding sensitive data have sparked widespread concerns about the security and privacy of users’ data.
A digital rights group, Paradigm Initiative, recently alleged that personal data, including tax identification numbers, bank verification numbers, and national identification numbers, were being sold.
“In a shocking revelation, Paradigm Initiative has found out that several unauthorised websites are claiming to hold and provide access to Nigerian citizens’ sensitive personal and financial data for as little as 100 Naira,” the organisation reveals.
“This alarming development presents a major breach of the fundamental rights to privacy, a breach of data privacy rights and poses significant risks to individuals and the national economy.”
Paradigm Initiative says these unofficial platforms expose grave flaws in the nation’s cyber security and data protection laws, highlighting the urgent need for robust data protection laws and efficient enforcement strategies to safeguard citizens’ data.
It implores the Nigerian government to undertake prompt and resolute measures to tackle this pressing issue, including a comprehensive investigation to identify these illicit online activities, augmenting cybersecurity protocols to avert additional data breaches, and enforcing Nigeria’s Data Protection Act.
The group also advocates strengthening the Nigeria Data Protection Commission (NDPC), protecting the privacy and security of citizens’ information, raising public awareness about the risks associated with data breaches, and providing guidance on how individuals can protect themselves.
Faces of Illegality
After the report, the National Identity Management Commission (NIMC) disseminated information regarding websites it says are unauthorised data harvesters lacking NIMC authorisation to access or manage sensitive data.
Among these are idfinder.com.ng, anyverify.com, championtech.com.ng, trustyonline.com, and Verify.Ng/sign in
Kayode Adegoke, Head of Corporate Communications at NIMC, advises the public to disregard any claims or services made by these websites and to avoid providing their data because they are potentially fraudulent. Data provided by the public on such websites he adds, is gathered and stored to build the data services they illegally provide.
NIMC, however, refutes the allegation of exposure of sensitive data of Nigerian citizens as it concerns the Commission amongst many other data-collecting agencies.
He emphasises that licensed partners or vendors are not allowed to scan or retain NIN slips and must validate them through authorised channels. He also reaffirms NIMC’s dedication to upholding ethical data protection standards in compliance with federal government directives and data privacy regulations.
“The Commission, at this moment, assures the public that the data of Nigerians has not been compromised, and the Commission has not authorised any website or entity to sell or misuse the National Identification Number (NIN) amongst all the identities stated in the report,” he says.
“Consequently, the public should know that the Commission has taken robust measures to safeguard the nation’s database from cyber threats- a secure, world-class, full-proof database is in place.”
The Communications chief emphasises that the Commission’s infrastructure meets the stringent ISO 27001:2013 Information Security Management System Standard, with annual recertification and strict compliance with the Nigerian Data Protection Law.
Adegoke cautions Nigerians against giving their information to phishing and unapproved websites, emphasising that doing so puts them in danger of data harvesting and includes personal information.
Taming the Data Beast
But with sensitive personal and financial information at risk, the question looms: how can we better defend ourselves against these invisible threats?
Jake Okechukwu, a technology Law Professor and lawyer, elucidates the concerns and proactive strategies that can mitigate databases’ susceptibility to hacking, ensuring that data remains secure in an increasingly perilous digital world.
“Cyber criminals these days have gotten really smart, and they use all kinds of social engineering tactics to trick employees or trick people into revealing login credentials or revealing access to this database,” observes the attorney
“It is also possible that the security protocol could have been weak. There may be a weak password, a lack of encryption, or even the software has expired -outdated software; these things can make a database vulnerable to hacking.”
The technology law expert adds that It could also be a product of a network of data trading, “today, there is an underground network where stolen data is exchanged”
He points out a hole in the current data protection framework: “I think our Nigerian data protection framework is not perfect. It has some vulnerability, both on the technical side and on the NIMC side.”
Okechukwu highlights the significance of prompt government action regarding access control.” I think in Nigeria, there are too many personnel that have access to Nigerian’s sensitive data,” he points out.
“Also, we must ensure adequate encryption to prevent unauthorised access. From a technical perspective, data at rest and in transit need to be adequately encrypted so that we don’t have these breaches happen quite often.”
Regarding the legal aspect, he asserts: “We have the Nigerian Data Protection Act, but if you look at section 39 that talks about the implementation of appropriate technical organisation measures, it does not explain what appropriate means, so the Act needs to be more specific on the guidelines and standards”
He stresses the importance of clear technical standards and guidelines.
“For example, it doesn’t talk about how regularly we should do a security audit, how regularly we should do implementation testing,” highlights the lawyer.
“It also does not talk about the response mechanism in detail; it needs to be quite articulate.”
The second concern from a legal standpoint is the cross-border movement of personal data.
“I think in Nigeria, we transfer a lot of our data to various recipient countries and organisations without adequate broad frameworks for the cross-border protection of our data.”
He calls for more detailed and stringent records to access data protection for recipient countries and other entities, saying the breach could also constitute an international assault—where a foreign entity monetises personal data.
He accentuates the need to be robust in service-level agreements, data processing, and data-sharing agreements. “There needs to be much stronger conversations, and these agreements should cover instances of data breaches like this.”
He poses these rhetorical questions: “Where are Nigerian data stored? Who has access to that storage or cloud platform? What happens when a breach happens? How do we delete data? How do we anonymise data? These are terms in the agreement that need to be fleshed out.”
Even if they are a firm, the digital law expert urges third-party vendors working with Nigerian datasets to recognise that the public holds them to the same standards as any department, ministry, or agency and not view them as purely a business effort.
“The undersigning between these third-party vendors needs to be concrete for them to understand the sensitivity of their possession, in the way that they handle our data, the ways that they share it, the ways that they store it, the way that move it across from one party to another.”
He encourages citizens to do their part.” “Use strong passwords, don’t share personal information, don’t over share, and use two-factor authentication,” asserts the legal luminary
“As much as possible, if you do not need your data in an organisation, ask for it to be deleted; it’s your right.”
