NIMC risks penalties as NDPC investigates breach that exposed NIN of 100 million people

One month after a little-known company got unrestricted access to the private data of 100 million Nigerians, Nigeria’s Identity Management Commission (NIMC) is under investigation for a data breach. One publication detailed how XpressVerify, the company involved in the breach, obtained and monetised its access to the identification numbers.

“If they [NIMC] are found negligent, there would be penalties. Last year in South Africa, the data protection agency fined the Ministry of Justice over a data breach. Nobody is above the law,” said Dr. Vincent Olatunji, the National Commissioner of the Nigeria Data Protection Commission (NDPC).

In 2021, NIMC was also accused of negligence after a self-service app for identity verification was breached, and the resulting data was sold on the dark web. While NIMC often denies these incidents, several reports have alleged worrying vulnerabilities at the agency.

“Whoever is responsible for the breach will be prosecuted. By the time we investigate and know what happened, that will guide us on what to decide,” Dr Olatunji said.

The NDPC has carried out its preliminary findings and will soon release a report. While it is unclear when that report will be released, the commissioner said they discovered “[it was] one of their [NIMC] agents that [was] trying to cause some issues by working with the company where the issue occurred.”

According to the Nigeria Data Protection Act, companies found guilty of violations—including data breaches—may be fined a maximum of ₦10 million or 2% of their annual gross revenue in the preceding year. The NDPC clarified that while government agencies like NIMC may not face direct penalties, individual officials and licensed partners involved in the alleged NIN data breach could be prosecuted.

The data protection regulator typically looks at the compliance level of the organisation involved, its data processing activities, employees managing the data, and technical measures to prevent future breaches. It found NIMC’s infrastructure to be “very okay.”

Last year, NDPC investigated OPay, Meta, and DHL, for alleged data privacy violations. While Olatunji declined to provide specifics on the outcome of the investigation, he disclosed that at least four or five of the companies investigated paid a remediation fee instead of 2% of their annual gross revenue.

“What is important to us isn’t the money but to ensure they do the right thing. When we have done our investigation and found that the impact isn’t too severe, we ask them to pay a remediation fee and subject them to monitoring for six months to make appropriate amendments in the areas where they have been found culpable.”