On Friday, FIJ published a report revealing that XpressVerify.com, a private website, had unrestricted access to the National Identification Numbers (NINs) and personal details of registered Nigerians, contrary to Section 14 of the National Identity Management Commission (NIMC) Act 2007.
Following this revelation, Namecheap, XpressVerify’s domain registrar, suspended the website and made it inaccessible to the public.
NIMC also issued a statement saying it offers NIN verification services and other services through licensed partners.
In the statement, Abisoye Coker-Odusote, the director-general and CEO of NIMC, distanced the commission from XpressVerify and ordered a probe into how it got access.
Insiders have now disclosed that this was misleading, as the NIMC compromised the system itself, according to TheCable.
The report stated that the NIMC recently reinstated the NIN Verification Service (NVS), which allowed unlicensed and unauthorised parties to access the data of all Nigerians captured on the NIN database, with some NIMC staff members linked to profiting entities.
The NVS was the brainchild of the NIMC in 2012, but in 2017, the World Bank performed an audit and found several loopholes and vulnerabilities in it.
This audit concluded that there was a need for audit controls, transparency and personal information protection after it was discovered that a licensed agent could create its own application programming interface to provide services to subagents without the NIMC’s knowledge.
These subagents could then get information from the NVS without NIMC’s knowledge.
Licensed agents were benefiting, as they would charge the subagents for the service without remitting to the NIMC. These charges ranged from N50 to N500.
As the business thrives, subagents will register other subagents. NIMC shut down the NVS in 2017 after this audit.
In 2023, President Bola Tinubu put Coker-Odusote at the helm of the NIMC’s affairs, and some officials impressed on her to reopen the NVS with its flaws.
On February 26, 2024, Carolyn Folami, a director and head of business development and commercial services, issued a circular to its verification service agents to restore the NVS.
“Kindly be informed that the NIMC, in a renewed commitment towards enlarging the use of the NIN for verification services across all industry, has reopened the NVS for your organizations’ use for verification services,” she wrote in a document.
“Also note that NIMC is working on an upgrade and further improvements on the NIN Pseudonymization verification services as well, which will be duly communicated.
“Please contact the Business Development and Commercial Services department of the NIMC for renewed credentials and further support services. In addition, do provide the contact email and phone number of your organization’s team lead for the exercise.
“The foregoing is for your information and necessary action.”
The newspaper also documented the account of an NIMC staff member who asked not to be named.
“That memo and the directive contained in it effectively reversed all the security measures put in place in creating the NVS. It is like opening the bank vault for the public to have a free run on the cash,” the newspaper quoted the NIMC staff as saying.
“With the roll-back to the NVS, it means anyone who has a verification licence and an NIN can query data with or without consent.
“All the reports listed about data vulnerabilities are a cover-up. It will be wise to conclude that the current CEO has no clue what she’s doing, as she’s listening to folks only interested in their pockets.
“Otherwise, such a memo would never have been issued. Bottom line is NIMC does not permit any raw NIN verification. The tokenisation is user consent management. Without the ID holder providing their explicit consent, you can’t get the data. And you have to ask first and be given a virtual NIN (vNIN), which is the consent token.
“I can assure you that there are very minimal controls in place. The staff at the NIMC are the developers of the NVS solution, and some created a few backdoors for themselves as there is no visibility beyond what they wish for anyone to see.”
FIJ