One month after a little-known firm received unrestricted entry to the non-public information of 100 million Nigerians, Nigeria’s Id Administration Fee (NIMC) is below investigation for a knowledge breach. One publication detailed how XpressVerify, the corporate concerned within the breach, obtained and monetised its entry to the identification numbers.
“In the event that they [NIMC] are discovered negligent, there can be penalties. Final 12 months in South Africa, the info safety company fined the Ministry of Justice over a knowledge breach. No one is above the regulation,” mentioned Dr. Vincent Olatunji, the Nationwide Commissioner of the Nigeria Information Safety Fee (NDPC).
In 2021, NIMC was additionally accused of negligence after a self-service app for id verification was breached, and the ensuing information was offered on the darkish net. Whereas NIMC typically denies these incidents, a number of experiences have alleged worrying vulnerabilities on the company.
“Whoever is accountable for the breach will probably be prosecuted. By the point we examine and know what occurred, that can information us on what to resolve,” Dr Olatunji mentioned.
The NDPC has carried out its preliminary findings and can quickly launch a report. Whereas it’s unclear when that report will probably be launched, the commissioner mentioned they found “[it was] one in every of their [NIMC] brokers that [was] attempting to trigger some points by working with the corporate the place the difficulty occurred.”
In line with the Nigeria Information Safety Act, corporations discovered responsible of violations—together with information breaches—could also be fined a most of ₦10 million or 2% of their annual gross income within the previous 12 months. The NDPC clarified that whereas authorities companies like NIMC could not face direct penalties, particular person officers and licensed companions concerned within the alleged NIN information breach could possibly be prosecuted.
The information safety regulator sometimes appears on the compliance stage of the organisation concerned, its information processing actions, staff managing the info, and technical measures to forestall future breaches. It discovered NIMC’s infrastructure to be “very okay.”
Final 12 months, NDPC investigated OPay, Meta, and DHL, for alleged information privateness violations. Whereas Olatunji declined to supply specifics on the end result of the investigation, he disclosed that at the least 4 or 5 of the businesses investigated paid a remediation charge as an alternative of 2% of their annual gross income.
“What’s necessary to us isn’t the cash however to make sure they do the appropriate factor. When we’ve got finished our investigation and located that the affect isn’t too extreme, we ask them to pay a remediation charge and topic them to monitoring for six months to make applicable amendments within the areas the place they’ve been discovered culpable.”