AnyVerify, a third-party identity verification service provider, is accused of selling identity information to over 100 million Nigerians. According to the discovery, the information sold includes Bank Verification Number (BVN), National Identification Number (NIN), and Tax Identification Number (TIN).
At a price tag of ₦190 (13 cents), AnyVerify will hand over an accurate profile of any Nigerian on its database. This marks the second case in a year of unlicensed entities that are selling the personal information of Nigerians on their platforms.
The previous case was charged against XpressVerify, a website selling personal information, and the National Identity Management Commission (NIMC) for allowing one of its partners to commit such crimes. This happened in March 2024, however, NIMC denied claims that XpressVerify was one of its licensed partners.
Following the March data breach, an investigation by the Nigeria Data Protection Commission (NDPC), discovered that the breach was due to access abuse by a NIMC agent and not NIMC security infrastructure failure.
According to people familiar with the incident, some individuals were arrested concerning the breach. However, a NIMC spokesperson denied the claims at the time.
For those unaware, the NIMC offers database licenses to banks, fintech, and other related partners. However, since NIMC declares that AnyVerify is not a licensed partner, how did they manage to access the database?
We tested the website, archived it, and could pay for NIN slips belonging to Bosun Tijani, the Minister of Communications, Innovation and Digital Economy. And Vincent Olatunji, the Commissioner of the NDPC
– Gbenga Sesan, Executive director of Paradigm Initiative (the non-profit who first investigated and reported on the matter)
According to Sesan, users of AnyVerify are required to submit their email addresses and NINs which they intend to verify. After registration, users must fund an on-site wallet with at least ₦400 before accessing the website in full capacity.
There are still no comments from NIMC and the Nigerian Data Protection Commission (NDPC).
It is either the NIMC is doing a poor job at data protection by using a cloud storage to store data or an insider is allowing individuals to retrieve data.
An anonymous ethical hacker
The breach occurred three months after the National Identity Management Commission (NIMC) was moved from the Ministry of Communications, Innovations and Digital Economy, to the Office of the Secretary to the Government of the Federation.