Wednesday, July 24th 2024: Paradigm Initiative (PIN), a pan-African non-governmental organisation advocating for digitals rights and inclusion has moved to court in a public-interest litigation following a recent data breach in Nigeria that saw personal data sold for N100.
The organisation, through Vindich Legal Law Firm has filed a case at the Federal High Court of Nigeria in the Abuja Judicial Division Holden at Abuja against nine respondents seeking a raft of declarations and orders.
In the case, the National Identity Management Commission (NIMC) has been named the first respondent followed by Central Bank of Nigeria (CBN), Nigeria Inter-Bank Settlement Systems PLC (NIBSS), Nigeria Immigration Service (NIS), Federal Inland Revenue Service (FIRS), Federal Road Safety Corp (FRSC), Independent National Electoral Commission (INEC), Nigeria Data Protection Commission (NDPC) and Attorney General of the Federation.
PIN states that on 16th March, 2024, an online news reporting and journalism outlet- Foundation of Investigative Journalism published a story on their platform ‘fij.ng’ with the heading Alert: XpressVerify, a Private Website, Has Access to Registered Nigerians’ Data and is Making Money From It.”
As a result of the XpressVerify.com.ng debacle, and in an attempt to prevent a repeat of such breaches, PIN conducted further research into the data breach of such nature which resulted in the organisation’s introduction to another actor tagged ‘AnyVerify.com.ng’ operating in the digital webspace of Nigeria since November 2023.
Research conducted by PIN showed AnyVerify.com.ng is a website involved in the commercial distribution of personal and private data of Nigerians. On the webpage, a drop-down displaying data services which the website provides can be observed. These include National Identity Number (NIN), the Bank Verification Number (BVN), a virtual NIN, Driving License, International Passport, Company details, Tax identification Number (TIN) and Phone Number.
The above-listed personal data are sold by the website for a sum of N100 (One Hundred Naira Only). The website, PIN also discovered was visited 567,990 times in February 2024 and 118,360 times in April 2024 by individuals, thereby evincing that it was an ongoing operation and the website was active.
Paradigm Initiative is seeking for an order mandating a full investigation and publication of the investigative report regarding personal data breach occasioned by the data leak to AnyVerify.com.ng and its customers by the respondents within one month of the decision of the court.
The organisation is urging the court to mandate the respondents to cease/halt/stop further data processing and operations both with public and private entities pending publication of a report on the investigation into this form of personal data breach, a report on remedial actions undertaken and the security measures implemented to safeguard personal data and also address and prevent re-occurrence.
PIN also wants the court to issue orders directing NIMC in conjunction with NDPC to provide restitution in form of compensation (to be determined by the court) to data subjects who have been affected by the data leak of their personal data to AnyVerify.com.ng and its customers. This is predicated on complaints filed by data subjects to the Nigeria Data Protection Commission (NDPC).
Further to the above orders, Paradigm Initiative also wants the court to issue an order mandating an enquiry and published report by the respondents within one month of the decision on other possible data leaks and personal data breaches as well as actors behind the websites currently transacting and generating profit from the sale of personal data of Nigerians- both licensed and unlicensed.
In the suit papers, PIN says that following this discovery, and due to lack of awareness on the subject matter by the respondents in the case, it forwarded pre-action notices informing the respondents of the issue, and updated them on their responsibilities vis-à-vis obligations on 4th June, 2024. However, PIN only received a response from the Nigeria Data Protection Commission.
Paradigm Initiative further adds that while it received assurances of due diligence and proper accreditation moving forward regarding vetting and investigation of licensed agents and data controllers from the commission due to a meeting held between both parties on the 10th June, 2024, the other respondents did not respond, displaying indifference about the safety of the personal data of Nigerians in their possession.
“ Accountability is the hallmark of democracy. The applicant is of the view that government agencies are tasked with the mandate to represent, protect and safeguard the interest of the public, i.e, the masses which they serve as public servants,” PIN submits in the court documents.
Paradigm Initiative’s contention is that following the breach, the private data of Nigerians are not safe with the respondents and they cannot protect the private data of Nigerian, and as such, defeats the original purpose of submitting the data for individual identification in the first instance.
………Ends……
About PIN
Paradigm Initiative (PIN) connects under-served young Africans with digital opportunities and ensures the protection of their rights. We have worked in communities across Nigeria since 2007 and across Africa since 2017, building experience, community trust, and an organisational culture that positions us as a leading non-profit in ICT for Development and Digital Rights on the continent.
Across our regional offices in Cameroon, Kenya, Nigeria, Senegal, Zambia, Zimbabwe, and beyond, we have impacted more than 150,000 youth with improved livelihoods through our digital inclusion and digital rights programs. Our programs include Life Skills. ICT. Financial Readiness. Entrepreneurship (LIFE) training program, a digital readiness workshop for girls, and life at school club program.
We have also built online platforms that educate and serve as safe spaces for reporting digital rights violations. These mediums, in the form of reports, short films, and educational online platforms, include Ayeta, Londa, and Ripoti.