A website called AnyVerify is illegally selling the personal information of over 100 million Nigerians, including National Identification Numbers (NIN), Bank Verification Numbers (BVN), and Tax Identification Numbers. Despite not having a licence from the National Identity Management Commission (NIMC), AnyVerify is offering this data for just ₦190 (13 cents).
This is the second time in a year that an unlicensed site has sold Nigerians’ personal data. In March 2024, XpressVerify was found selling similar information without authorization. An investigation revealed that the breach was due to access abuse by an NIMC agent, not a failure in NIMC’s security system. Several arrests were made, but NIMC denied involvement at the time.
NIMC licences banks, fintechs, and other partners to access its database for a fee, but AnyVerify is not one of these licensed entities. This raises questions about how AnyVerify obtained access to the data. Gbenga Sesan, executive director of the non-profit Paradigm Initiative, which first reported the issue, stated they were able to buy NIN slips for high-profile individuals like the Minister of Communications and the Commissioner of the Nigeria Data Protection Commission (NDPC).
AnyVerify lacks a vetting process to prevent misuse. Users need only provide an email address and NIN to register, and must fund a wallet with at least ₦400 before accessing the service.
Both NIMC and NDPC did not immediately comment on the situation. An ethical hacker suggested the breach could be due to poor data protection practices or insider abuse at NIMC.
Since its launch in November 2023, AnyVerify has seen significant traffic, with nearly 568,000 visits in February and over 188,000 in April 2024, according to Paradigm Initiative.
Following the recent data breaches, NIMC flagged five websites, including AnyVerify, for collecting data without authorization. NIMC’s spokesperson, Kayode Adegoke, warned the public to avoid these sites, which may be scams.
Paradigm Initiative highlighted the severe risks of selling personal data, such as identity theft, financial fraud, and threats to personal and national security. In response, NIMC reassured the public that their data is secure and emphasised that only authorised partners should verify NINs.