Compared to many other countries, data protection in Nigeria is still in its infancy. Before 2019, for instance, data protection was merely implied. The 1999 Constitution, under Section 37, only loosely shielded citizens from cybercriminals and the mishandling of personal data by government or private entities.
It was not until 2023, under the administration of Bola Ahmed Tinubu, that Nigeria passed its first comprehensive data protection law.
But beyond recent formal legislation, the careless handling of Nigerians’ data by state-owned agencies and institutions remains the clearest indication of poor understanding, low regard for, and sluggish implementation of the NDPA.
By simply dork-auditing the .gov.ng domain, this story reveals how, by neglect or oversight, public agencies and sub-national data controllers continue to breach the core principle of the NDPA: protecting the personal data of Nigerians from public exposure and abuse.
READ ALSO: After FIJ’s Story, Oyo Govt Quietly Removes Exposed TESCOM Data
CURIOUS CASE OF EDO STATE
On the surface, the Edo State Government has shown a concerning disregard for managing its digital assets. On March 25, FIJ reported that the state’s official website had been hijacked by a Turkish betting platform.
That same report noted that the site’s SSL certificate had expired. At the time of this writing, four months later, it still hasn’t been renewed.
So it’s hardly surprising that the same website currently indexes an XLS file, titled Edo Government MSME first batch, containing the personal details of 50 loan applicants, including their names, addresses, phone numbers, BVNs and bank account numbers.
Another document, titled Edo MSME August report, on the same site exposes a separate list of 144 individuals, with similar sensitive data — BVNs, addresses and account details — all publicly available.
Such disclosures make affected individuals highly vulnerable to identity theft. With these details, fraudsters can impersonate victims, access their bank accounts, or open new ones in their name.
The exposure of BVNs is particularly dangerous in Nigeria, where a single BVN is linked to all of a person’s bank accounts and is widely used for financial verification.
Armed with full names, addresses and contact details, criminals can launch targeted scams such as phishing, SIM swap fraud or extortion. In some cases, they might pose as banks or government officials to deceive victims into giving up even more sensitive information.
The Edo State case is especially curious because beyond the NDPA, the National Information Technology Development Agency (NITDA) has issued clear guidelines for data protection and cybersecurity on government websites.
READ ALSO: After FIJ’s Story, NIS Silently Fixes Loophole That Exposed Applicants’ Data
Here is an excerpt for security from the guideline made public in 2019:
“ii. Government websites shall include a standard privacy policy statement that stipulates:
a. how information collected is used
b. circumstances where information can be disclosed to a third party
c. if the information is accessible by the publiciii. Government institutions shall regularly conduct security threat and risk assessments on their websites, as well as create and regularly review a security plan that describes the necessary security mechanisms and procedures.
iv. Where government institutions solicit or collect information from users through electronic forms or email, they shall ensure that this information is securely transmitted and stored by taking appropriate measures such as data encryption.
v. Where government institutions need to transmit information to users, they shall ensure that the information is protected through appropriate technologies (e.g., SSL). Reasonable care shall be taken to protect the personal information held by a government institution from misuse, loss, unauthorized access, modification, and disclosure.
vi. Where necessary, user registration for access [to services or information] shall be implemented.”
SUPPLEMENTARY LIST ON CBN PAGE
In the case of the CBN, the indexed Excel file’s metadata is not publicly accessible, making it unclear why the names, addresses, phone numbers, email addresses and qualifications of 16 individuals are listed in a publicly available document. The document even contains the year these individuals obtained their higher degrees.
Publishing such personal information is only justifiable in limited cases like when individuals are public officials whose contact details are needed for official inquiries or public engagement.
However, none of the names on the list appear to be political appointees or players of any known public-facing roles. The document, titled Supplementary List, includes highly sensitive information, including dates of birth and home addresses.
The only apparent pattern is that many of these individuals seem to work in the finance sector, based on their publicly available digital profiles.
Exposing home addresses and dates of birth poses serious risks. Dates of birth are often used as part of identity verification processes for banking, insurance and other services. When combined with full names and other identifiers, they can allow fraudsters to bypass security questions and impersonate individuals.
Publishing home addresses further increases vulnerability, potentially exposing individuals to physical tracking, threats or harassment. In high-risk professions like finance, where individuals may be targets for scams or extortion, such exposure is particularly dangerous.
This kind of data breach not only endangers personal safety and privacy but also reflects a disregard for basic data protection standards.
SUBNATIONALS
Dorking results for several subnational government websites reveal publicly accessible documents containing personal information of individuals who attended various government-organised gatherings.
These documents, often in the form of attendance sheets, typically include names, phone numbers, email addresses, and signatures of participants.
For example, the Benue State Government website hosts the “Report of the Benue State Year 2020 Citizens’ Input Participation Meetings,” which includes such personal details.
Similarly, the Ministry of Budget and Planning in Zamfara State published an attendance sheet for its 2024 budget town hall meeting held on October 7, 2023, at Garba Nadama Hall, J.B. Yakubu Secretariat, Gusau.
In Kebbi State, the Price Intelligence and Public Procurement Bureau, in collaboration with the Ministry of Budget and Economic Planning, has also exposed participant data through similar documents.
Sokoto State Government listed attendee information for its December 24, 2024, private sector consultation on the State Business Enabling Reforms Action Plan.
Likewise, the Borno State Ministry of Finance, Budget, and Economic Planning published an attendance list for its 2021 budget town hall meeting held on August 20, 2020, at the Government House in Maiduguri.
The attendance sheet for Osun State’s citizen consultative forum for the 2023 budget is public with names, addresses, emails and phone numbers of the citizens that attended it.
The publication of such personal information should only occur with the informed consent of the individuals involved. Making these details publicly accessible without consent exposes citizens to privacy risks and undermines trust in public institutions.
WHAT DOES THE NDPR SAY?
Under the NDPR, the NDPC classifies any information that can identify an individual, such as phone numbers, email addresses and home or work addresses, as “personal data”.
These data elements require a lawful basis for collection and processing. Even more stringent rules apply to Bank Verification Numbers (BVNs), which are deemed “sensitive personal data”.
READ ALSO: REPORTER’S DIARY: I Only Swapped Digits on Immigration’s URL. It Gave Me Private Data of Nigerians
When a breach that exposes personal data or sensitive personal data occurs, the NDPR imposes strict notification requirements. Data controllers must inform the NDPC within 72 hours of becoming aware of any incident likely to harm individuals’ rights or freedoms.
Affected data subjects must also be notified “without undue delay” so they can take steps to protect themselves against identity theft, fraud or other potential harms arising from the exposure.
The NDPC has not shied away from enforcing these rules. In August 2024, for example, it levied a N555.8 million fine against Fidelity Bank for processing customer data, including account identifiers, without proper consent or legal basis.
When FIJ called the agency on Monday, it requested time to address FIJ’s observations.
The post How CBN, Edo, Other Govt Sites Leak BVNs, Personal Data of Nigerians appeared first on Foundation For Investigative Journalism.