NIMC limits access to NIN database in wake of hacking probe

The National Identity Management Commission (NIMC) has limited access to the National Identification Number (NIN) database for its licensed agents following an investigation by the Nigeria Data Protection Commission (NDPC).

According to a report by The Foundation for Investigative Journalism (FIJ), it has been alleged that a private website called Xpressverify.com has unrestricted access to the NIN and personal details of Nigerian citizens and residents registered on the ID database managed by NIMC. The report further suggests that the website has been monetizing the recovery of NINs and personal information from the Nigerian identification database.

“At the moment, data processing by licensees generally are to be scrutinized and only those that are cleared based on credible evidence of regulatory compliance will be permitted to carry out NIN verification going forward,” the data protection agency, NDPC, said.

NDPC said that “a series of intensive training will be conducted to ensure that personnel and licensees are abreast of the duty of care and the standard of care mandated by the Nigeria Data Protection Act, NIMC’s Privacy Policy, and other relevant regulatory protocols.”

The NDPC said it is investigating a data breach that occurred at NIMC. The investigation has revealed that a third party, which was originally authorised to provide verification services to citizens and businesses, may have allowed Xpressverify.com to use its NIN verification credentials to conduct verification. The NDPC said that is working with relevant agencies to determine how expressverify.com obtained these credentials and to identify the individuals responsible by the law.

While the circumstances surrounding this permission are still under investigation, the Commission said in a statement

“To remedy this incident, the National Identity Management Commission (NIMC), in line with established remediation protocols, barred all forms of access to its database. Though necessary, barring all forms of access affected all genuine and crucial verification requests. After a painstaking review, limited access has been granted to a few establishments that are providing pivotal public services such as education and security.”

NIMC, its sister data protection agency said, has strengthened existing technical and organisational measures to protect citizen’s data. However, citizens must take responsibility for ensuring they are not left unidentified in various development frameworks.

The NDPC emphasises the importance of NIN as essential data for sustainable development and encourages members of the public to recognize its significance.