Legal Action Initiated Against AnyVerify.com.ng for BVN Data Breach
Only three months after FIJ exposed XpressVerify, a private website selling the Nigerian identification data, private website AnyVerify has been found trading Nigerian bank verification numbers (BVNs), among other sensitive citizen data.
Paradigm Initiative (PIN), an ICT for Development and Digital Rights group, said on Thursday that it was seeking legal redress on behalf of Nigerians for a breach of data privacy rights.
Vindich Legal, the legal partners of Paradigm Initiative, have served a pre-action notice to the National Identity Management Commission (NIMC), the Nigeria Data Protection Commission (NDPC), the Nigeria Immigration Service (NIS), the Federal Inland Revenue Service (FIRS), the Central Bank of Nigeria (CBN), the Independent National Electoral Commission (INEC), the Federal Road Safety Corps (FRSC) and the Office of the Attorney General of the Federation (AGF).
The lawyers want Nigeria’s federal government to make:
- A Declaration that the act of unauthorised access to the data of Nigerian citizens by AnyVerify.com.ng and commercialization of the same violates the provision of Section 37 of the Constitution Of The Federal Republic Of Nigeria 1999 (CFRN).
- A Declaration that by virtue of Section 30 And Section 39 Of The Nigeria Data Protection Act (NDPA) 2023, all involved agencies of government have a duty to implement appropriate technical and organisational measures to ensure the security and integrity of citizens’ sensitive personal data.
- An Order of court mandating a full investigation and publication of the investigative report regarding the personal data breach occasioned by the data leak to AnyVerify.com.ng and its customers by the National Identity Management Commission (NIMC).
- An Order of the court directing all involved agencies of government to release official information to the public regarding the activities of their agents and sub-licensees.
- An Order of court directing the involved agencies of government to provide restitution in form of compensation to data subjects who have been affected by the data leak.
“Following the XpressVerify incident, further research was undertaken, and it was discovered that another actor tagged AnyVerify.com.ng has been operating in the digital space of Nigeria since November 2023,” PIN stated on Thursday.
“From our research, AnyVerify.com.ng is a website involved in the commercial distribution of personal and private data of Nigerians. On its webpage, a drop-down displaying the myriads of data services which the website renders can be observed. These include personal data such as the National Identity Number (NIN), the Bank Verification Number (BVN), a virtual NIN, Driving License, International Passport, Company details, Tax Identification Number (TIN), Permanent Voter’s Card (PVC) and Phone Numbers.
“All these are sold by this website to any interested party for the sum of N100.00 (One Hundred Naira Only) for each data request. This website was visited five hundred and sixty-seven thousand, nine hundred and ninety (567,990) times in February 2024 and one hundred and eighty-eight thousand, three hundred and sixty (188,360) times in April 2024.”
Semrush showed that AnyVerify was in the top 3400 websites in Nigeria; it received at least 68,000 visits in May.
After FIJ’s exposé in March, NIMC informed the public that XpressVerify was not one of its licensed partners. AnyVerify is also not acknowledged on NIMC’s website as a licensed partner.
The press called NDPC and NIMC on Friday, but the phone calls were not answered. This reporter also sent text messages and emails, which the agencies had not responded to at press time.
NIMC has not shared a list of the commission’s licensed partners yet. FIJ has requested for it.