AnyVerify, a website that claims to help businesses verify their customers, is selling the personal information of over 100 million Nigerians—including National Identification Number (NIN), Bank Verification Number (BVN), and Tax Identification number—despite being unlicensed by the country’s identity management commission (NIMC).
For ₦190 (13 cents), AnyVerify will pull up an accurate profile of any Nigerian. It is the second time in a year that an unlicenced entity is offering the personal information of Nigerians for sale. In March 2024, the National Identity Management Commission (NIMC) denied claims that XpressVerify, a website selling personal information, was one of its licensed partners.
An investigation by the Nigeria Data Protection Commission (NDPC) found NIMC’s security infrastructure compliant and indicated that the March breach was due to access abuse by an NIMC agent.
Some persons were arrested over the incident, one person familiar with the matter said. A spokesperson for the NIMC denied the claims at the time.
NIMC’s database is licensed to banks, fintechs, and other partners for a fee. AnyVerify is not a NIMC-licensed partner. It raises questions about how the website has access to the database.
“We tested the website, archived it and could pay for NIN slips belonging to Bosun Tijani the minister of Communications, Innovation and Digital Economy and Vincent Olatunji, the commissioner of the NDPC,” said Gbenga Sesan, the executive director of Paradigm Initiative, a non-profit whose investigation first reported on the matter.
Unlike NIMC and its partners, AnyVerify, which identifies itself as a verification tool, has no vetting process to identify bad actors. Users are required to submit their email addresses and NINs—the same data they intend to verify. After registration, users are presented with a wallet to fund with at least ₦400 before using the website.
NIMC and Nigeria Data Protection Commission (NDPC) did not immediately respond to a request for comments.
“It is either the NIMC is doing a poor job at data protection by using a cloud storage to store data or an insider is allowing individuals retrieve data,” said one ethical hacker who asked not to be named so they could speak freely.
Launched in November 2023, AnyVerify was visited 567,990 times and 188,360 in February and April 2024 respectively, according to Paradigm Initiative.
The data breaches come months after the National Identity Management Commission (NIMC) was moved to the Office of the Secretary to the Government of the Federation from the Ministry of Communications, Innovation and Digital Economy.
Get the best African tech newsletters in your inbox
>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : TechCabal – https://techcabal.com/2024/06/21/anyverify-nigerian-data-leak/
