Nigeria NIN national-ID data exposure

Beginning in late 2023 and erupting publicly in March 2024, a cluster of unauthorized "verification" websites was caught selling the personal data of millions of Nigerians — drawn from the National Identity Management Commission (NIMC) identity database — for as little as ₦100 (about $0.07) per record.

What happened

Sites including XpressVerify.com and AnyVerify.com.ng offered instant lookups of citizens' National Identification Numbers (NIN), Bank Verification Numbers (BVN), virtual NINs, driver's licences, passports, tax IDs, voter cards, and phone numbers. A Foundation for Investigative Journalism (FIJ) report on 16 March 2024 demonstrated that XpressVerify could return a complete NIN profile for a trivial fee; the site was taken offline shortly afterward.

The scale was substantial: AnyVerify alone recorded an estimated 567,990 visits in February 2024. Crucially, security experts and the regulator concluded this was not a direct hack of NIMC's database. Instead, the sites exploited improperly governed access — likely API connections granted to licensed verification agents and then resold or abused outside regulatory rules. As one stakeholder put it, "they haven't hacked into the database; instead, they have leveraged some form of access that is not in line with regulations."

Response

NIMC publicly denied that its database was compromised, citing ISO 27001:2013 certification and compliance with the Nigeria Data Protection Act 2023, and on 25 June 2024 flagged five offending websites: idfinder.com.ng, verify.ng, championtech.com.ng, trustyonline.com, and anyverify.com. The Nigeria Data Protection Commission (NDPC) opened an investigation into the unauthorized processing and monetisation of citizens' data. Civil-society group Paradigm Initiative served pre-action legal notices on eight federal bodies — including NIMC, NDPC, the immigration service, the tax authority, the central bank, and INEC — demanding investigation, compensation, and stronger enforcement.

Impact

Because NIN and BVN underpin banking, SIM registration, and access to government services in Nigeria, the cheap availability of these identifiers created broad exposure to SIM-swap fraud, account takeover, and identity theft. The episode also intensified concern over the security of centralised national-ID systems, where a single layer of resold access can effectively leak an entire population's identity data without the core database ever being breached.

Why it matters

The NIMC case is a textbook example of third-party and API-governance failure rather than a classic intrusion. It demonstrated that a national identity system is only as secure as the ecosystem of agents and integrators authorised to query it, and it became a defining test of Nigeria's then-young Data Protection Act 2023 and the NDPC's willingness to enforce it.

Timeline

November 1, 2023

AnyVerify.com.ng begins operating, commercialising recovery of Nigerians' NIN, BVN and other personal data.

February 1, 2024

AnyVerify receives an estimated 567,990 visits in a single month, underscoring the scale of demand for cheap identity lookups.

March 16, 2024

A Foundation for Investigative Journalism (FIJ) report exposes XpressVerify.com selling full NIN records; the site is taken down soon after.

March 20, 2024

NIMC and the Nigeria Data Protection Commission (NDPC) open an investigation; experts conclude there was no direct database hack but unauthorised API-style access.

June 25, 2024

NIMC publicly flags five data-harvesting websites — idfinder.com.ng, verify.ng, championtech.com.ng, trustyonline.com and anyverify.com — and denies its database was compromised.

July 1, 2024

Paradigm Initiative serves pre-action legal notices on eight federal agencies, seeking investigation and compensation for affected citizens.

Sources

biometricupdate.comhttps://www.biometricupdate.com/202406/nigerias-nimc-fights-off-data-breach-accusations-flags-5-data-harvesting-websites

punchng.comhttps://punchng.com/nimc-facing-multiple-unauthorised-accesses-to-nin-data-stakeholders/

paradigmhq.orghttps://paradigmhq.org/major-data-breach-sensitive-government-data-of-nigerian-citizens-available-online-for-just-100-naira/

Related incidents

Data breachinvestigatingNovember 1, 2024

RENIEC Peru citizen data leak

A threat actor advertised a database said to hold around 37 million records from Peru's national identity registry RENIEC, including DNI numbers, names, birth data, and addresses; RENIEC disputed that its systems were breached.

Victim: RENIEC (Registro Nacional de Identificación y Estado Civil)
Records: 37.0M

Data breachContainedSeptember 13, 2024

Leak at Assurance retraite

On 13 September 2024, France's Assurance retraite (Cnav) disclosed a breach of its PPAS social-action partner portal, exposing data on about 370,000 pension beneficiaries including names, addresses, social security numbers and approximate income.

Victim: Assurance retraite (French pension fund)
Records: 370.0K

Data breachResolvedApril 23, 2024

Tappware data breach (2024)

In April 2024, a substantial volume of data was taken from the Bangladeshi IT services provider Tappware and published to a popular hacking forum. Comprising of 95k unique email addresses, the data also included extensive labour information on local citizens including names, physical addresses, job…

Victim: Tappware
Records: 94.7K

Data breachContainedJune 18, 2026

Texas Parks and Wildlife vendor breach exposes 3 million license holders

A breach at the third-party vendor that processes Texas hunting and fishing licence sales exposed the driver's licence numbers, passport numbers and contact details of more than three million Texans, though the state said Social Security numbers and financial data were not taken.

Victim: Texas Parks and Wildlife Department
Records: 3.1M