Centralized digital ID systems promise convenience and streamlined access to services, but when a single database becomes the gateway to a population’s most sensitive details, the consequences of a breach can be devastating. Nigeria is now facing exactly that risk.
Allegations have emerged that insiders at the National Identity Management Commission (NIMC) are selling citizens’ personal information on the open market.
The leaked material reportedly includes National Identification Numbers (NINs), Bank Verification Numbers (BVNs), and even photographs, data that can unlock both government services and bank accounts. One investigative journalist claims they were able to purchase the NINs and BVNs of several Nigerians, including three journalists, using nothing more than a phone number.
The National Data Protection Commission (NDPC) has launched an investigation, warning that NIMC or any agents found responsible could face fines of up to N10 million or 2 percent of their annual revenue. This follows earlier enforcement actions that saw more than 100 registration partners terminated for extortion and other misconduct.
Reclaim Your Digital Freedom.
Get unfiltered coverage of surveillance, censorship, and the technology threatening your civil liberties.
Evidence of the trade surfaced when a buyer demonstrated that four full sets of personal records could be acquired online, pointing to an insider breach of the national identity database.
The scale of the exposure is alarming, with over 122 million Nigerians already enrolled and the country recently shifting to the NINAuth digital verification platform, which centralizes identity checks nationwide.
Nigeria’s identity program is meant to provide secure authentication for public services and financial transactions, but its vulnerabilities have been laid bare. Since 2011, the government has poured significant funds into the system, beginning with a N30.66 billion allocation for electronic ID cards and later securing a $433 million World Bank–backed grant in 2019 to register 148 million citizens by mid-2024.
Public concerns over data protection intensified in April 2024 when FIJ exposed XpressVerify, a rogue website selling access to personal information for as little as N200 per search.
Centralized digital ID systems create a single, all-or-nothing point of trust. Once that point is breached, the consequences spread far beyond the original leak, because the same identifiers feed multiple systems, financial, governmental, and even biometric verification.
This design means one compromised access channel can silently open doors across an entire society. Unlike a credit card number, which can be replaced, identifiers like a NIN or biometric template are permanent, locking citizens into a lifetime of exposure once stolen.
