Nigeria’s identity data leak deepens as NINPrint.com joins rogue sites exposing BVNs, NINs and personal records for a few naira, raising privacy fears

Nigeria’s identity data leak has again taken centre stage following the discovery of yet another rogue website exposing citizens’ sensitive personal records for profit.

Also read: ‘No access’ BVN generated NIN must be verified to access NIMC mobile app, Officials say

NINPrint.com, a self-described digital identity platform, has emerged months after XpressVerify caused public outrage by illegally selling Nigerians’ NIN and BVN details.

This persistent breach of data systems shows that even after spending over $630 million since 2011 to build a robust national identity database, Nigeria still cannot guarantee the security of its citizens’ private information.

Despite global backing, including a $433 million World Bank grant supported by the European Union and the French Development Agency, loopholes remain glaring.

NINPrint’s website boldly offers services such as BVN verification by name and phone number, retrieval of lost NINs, CAC lookups, and voter card access — all for just a few hundred naira.

Worse still, the site operates without any public affiliation to the National Identity Management Commission (NIMC), raising concerns about its source of data.

To test these services, FIJ funded an account with N150 and attempted several searches using volunteered numbers.

The site eventually returned accurate NIN and BVN-linked information of unsuspecting journalists — proof of unauthorised access to Nigeria’s identity records.

“This reckless exposure of Nigerians’ data leaves everyone vulnerable,” a data protection advocate said.

“It’s no longer a question of if your data is compromised, but how badly.”

The operator, Abbeytech Ventures, is registered as a sole proprietorship by Abdullahi Shogbanmu Abiodun.

When contacted, an individual linked to the business abruptly ended the call after being questioned about links to NIMC. This silence deepens suspicion.

Exposing full names, phone numbers, home addresses and financial identifiers such as BVNs can have devastating consequences.

Criminals may use these for identity theft, unauthorised bank withdrawals, loan scams, and phishing attacks. In severe cases, victims could face physical threats or permanent reputational harm.

The law is clear. Section 14 of the NIMC Act vests exclusive control of identity databases to the Commission.

Section 28 makes it a criminal offence to access or sell identity information without lawful authority, punishable by jail and a fine of at least N1 million.

Further, the Nigeria Data Protection Act (NDPA) mandates data controllers to process information transparently and legally.

The NDPC can impose penalties of up to N10 million or 2% of annual turnover for non-compliance. Data breaches must also be reported within 72 hours.

After the XpressVerify scandal in April 2024, NIMC suspended third-party database access but later restored access to what it described as “essential service providers”.

Civil society groups like Paradigm Initiative warned that the issue was far from resolved. NINPrint now proves that point.

“How many other websites are currently selling our data?” one security analyst asked. “And how many times will we raise the alarm before real reform begins?”

Following a tipoff, FIJ notified NIMC of the new breach. Kayode Adegoke, the Commission’s spokesperson, acknowledged the alert and promised swift action.

But Nigerians remain frustrated. Despite investments, policies and agencies, their most sensitive data remains exposed to the highest bidder online.

The cycle of discovery, denial, and delayed reaction continues — and each new breach chips away at public trust.