AnyVerify, a website claiming to help businesses verify their customers, has been found selling the personal information of over 100 million Nigerians. This includes sensitive details like National Identification Numbers (NIN), Bank Verification Numbers (BVN), and Tax Identification Numbers. Shockingly, AnyVerify is not licensed by Nigeria’s identity management commission (NIMC).
For just ₦190 (about 13 cents), AnyVerify offers detailed profiles of any Nigerian. This is the second time within a year that an unlicensed website has been caught selling Nigerians’ personal information. In March 2024, the National Identity Management Commission (NIMC) had to deny that XpressVerify, another website selling personal data, was one of its licensed partners. An investigation by the Nigeria Data Protection Commission (NDPC) found that NIMC’s security was good, and the March breach happened because an NIMC agent misused their access. Several people were arrested after this incident.
Despite these assurances, the new breach involving AnyVerify has raised fresh concerns. Usually, NIMC’s database is only available to banks, fintech companies, and other partners for a fee. AnyVerify does not have such a license, which raises serious questions about how it got access to the database. Gbenga Sesan, the executive director of Paradigm Initiative, a non-profit that first reported this breach, said, “We tested the website, saved the evidence, and could buy NIN slips for Bosun Tijani, the Minister of Communications, Innovation and Digital Economy, and Vincent Olatunji, the commissioner of the NDPC.”
Unlike NIMC and its licensed partners, AnyVerify does not have a process to check for bad actors. Users must provide their email addresses and NINs—the same data they want to verify. After signing up, users must add at least ₦400 to their wallet before using the website.
Attempts to get comments from NIMC and the Nigeria Data Protection Commission (NDPC) have been unsuccessful. An ethical hacker, who wished to remain anonymous, suggested that the breach could be due to poor data protection practices by NIMC or an insider giving out information. “It is either the NIMC is doing a poor job at data protection by using cloud storage to store data or an insider is allowing individuals to retrieve data,” the hacker said.
AnyVerify, which started in November 2023, had 567,990 visits in February and 188,360 in April 2024, according to Paradigm Initiative. This breach comes after the National Identity Management Commission (NIMC) was moved from the Ministry of Communications, Innovation and Digital Economy to the Office of the Secretary to the Government of the Federation.