More than a year after the discovery of the rogue data website XpressVerify, sensitive identity records of Nigerians — including National Identification Numbers (NINs), Bank Verification Numbers (BVNs), addresses, and photos — remain available for sale on the internet. In a recent investigation by the Foundation for Investigative Journalism (FIJ), a reporter successfully purchased the personal data of four Nigerians using just N560, raising fresh concerns about the safety of the country’s identity infrastructure. Billions Spent, Yet No Safety Nigeria has invested over $630 million in national identity projects since 2011. This includes a $433 million World Bank-backed grant in 2019 aimed at registering 148 million Nigerians by mid-2024 and improving the country’s identity management systems. Despite these efforts, data breaches persist. In April 2024, FIJ uncovered XpressVerify, a website illegally accessing the national database. The backlash led to a temporary suspension of third-party access by the National Identity Management Commission (NIMC) and a probe by the Nigeria Data Protection Commission (NDPC). However, FIJ’s recent findings reveal that such leaks continue to exist through newer platforms. Introducing NINPrint.com In July 2025, FIJ discovered NINPrint.com, a website offering identity verification services that include NIN and BVN lookup via phone numbers or document details; retrieval of lost NINs using tracking IDs; access to voter cards, driver’s licences, bank slips, and CAC records; and “people tracking” and background check services. According to the platform, these services are offered at a cost of just a few hundred naira. FIJ traced the platform to Abbeytech Ventures, a sole proprietorship registered by Abdullahi Shogbanmu Abiodun. The associated phone number links to a cybercafé that also advertises NYSC registration services. Reporter’s Test Purchase Confirms Breach To verify the platform’s claims, FIJ funded an account with N150 and attempted several identity lookups. While some attempts failed, one successful search returned detailed personal information — including NIN and BVN-linked data — of individuals using only their phone numbers. The exposed data belonged to journalists who had consented to the experiment. Grave Implications for Nigerians The ability to access such personal data poses significant risks. Identity theft: Criminals can use NINs and BVNs to commit fraud, take out loans, or open bank accounts. Financial loss: BVNs may allow fraudsters to bypass verification processes and access victims’ accounts. Physical danger: Access to personal addresses and phone numbers increases the threat of harassment, kidnapping, or stalking. Reputational damage: Victims may face consequences if their identities are used to commit crimes. What the Law Says The NIMC Act (2007) and the Nigeria Data Protection Act (NDPA, 2023) prohibit the unauthorised use, sale, or disclosure of personal data. Section 28 of the NIMC Act criminalises unlawful access to identity data, carrying penalties of at least N1 million and/or three years in prison. The NDPA empowers the NDPC to impose fines of up to N10 million or 2% of a company’s gross annual revenue for violations. Data controllers are also required to report breaches to the NDPC within 72 hours, especially if they pose a high risk to individuals. NIMC Responds, Questions Remain FIJ notified NIMC of the latest breach. Spokesperson Kayode Adegoke acknowledged the alert and said the Commission would address the issue. But the situation raises urgent questions: How many other websites are still accessing Nigeria’s national database? Who is responsible for these repeated breaches? When will Nigerians finally have confidence in the protection of their private data? Until comprehensive digital safeguards and accountability measures are enforced, the personal data of millions remains at risk.
