AnyVerify, a website purportedly aiding businesses in customer verification, is under fire for selling the personal data of over 100 million Nigerians. This includes highly sensitive information such as National Identification Numbers (NIN), Bank Verification Numbers (BVN), and Tax Identification Numbers—all without any licensing from the National Identity Management Commission (NIMC).
For a mere ₦190 (approximately 13 cents), AnyVerify provides comprehensive profiles of any Nigerian. This incident marks the second occurrence within a year where an unauthorized entity has offered Nigerians’ personal information for sale. In March 2024, NIMC dismissed claims that XpressVerify, another website engaged in selling personal information, was one of its accredited partners.
The Nigeria Data Protection Commission (NDPC) investigated the March incident and determined that NIMC’s security infrastructure was compliant, attributing the breach to an NIMC agent misusing access privileges. Arrests were made in connection with the breach, though NIMC’s spokesperson denied any wrongdoing at the time.
NIMC typically licenses its database to banks, fintech companies, and other authorized partners for a fee. The fact that AnyVerify is not among these licensed partners raises serious concerns about how it accessed the database.
Gbenga Sesan, executive director of the Paradigm Initiative—a non-profit organization that initially uncovered the issue—stated, “We tested the website, archived it, and successfully purchased NIN slips for Bosun Tijani, the Minister of Communications, Innovation and Digital Economy, and Vincent Olatunji, the commissioner of the NDPC.”
Unlike NIMC and its official partners, AnyVerify, which brands itself as a verification tool, lacks a vetting process to screen out malicious actors. The website merely requires users to submit their email addresses and NINs—the same data they seek to verify. Post-registration, users are prompted to fund a wallet with at least ₦400 before utilizing the site’s services.
An anonymous ethical hacker commented, “Either NIMC is failing in data protection by relying on cloud storage, or an insider is facilitating unauthorized data retrieval.”
Launched in November 2023, AnyVerify saw 567,990 visits in February 2024 and 188,360 visits in April 2024, according to data from the Paradigm Initiative.
These data breaches have occurred only a few months after the National Identity Management Commission was moved from the Ministry of Communications, Innovation, and Digital Economy to the Office of the Secretary to the Government of the Federation.