Online identity now sits at the center of daily life in Nigeria. Telcos use NIN for SIM services. Banks and fintechs use it for KYC. Government services also depend on it. So when people see signs of weak security around identity systems, panic spreads fast, and trust drops even faster.
Two screenshots from X posts shared with Techsoma show that tension in real time. These posts also include a blunt suggestion that government agencies should hire cybersecurity experts.
Those are claims on social media. Still, Nigeria has recent, verified cases that explain why citizens react this way and why agencies must treat public trust as a security requirement, not a PR problem.
What the screenshots show
One X user, @Abiodun0x, claims attackers hijacked the NIMC website and that officials have not fixed it. Another user points to a documented government subdomain takeover linked to a police recruitment portal and says the pattern looks familiar.
A third user, @damnsect1, alleges that their correct date of birth changed inside the NIMC app after NIMC announced a higher fee for correcting information. The user says they downloaded a NIN slip when the NIMC app launched and that the slip had correct details. The user says they still have an older slip with the correct information.
Techsoma cannot verify those specific allegations from the screenshots alone. However, we can verify a wider set of security and privacy incidents around NIN data access, phishing portals, and government web domain abuse that match the fears behind the posts.
What we can verify today
Investigative reporting and official statements show that bad actors have targeted Nigerians with fake portals that copy NIMC processes and harvest personal data.
FIJ reported that a fake “NIMC correction portal” that collected personal details under the guise of free corrections went offline after FIJ published its findings. The report described how the site asked for personal information such as name, gender, date of birth, email, and phone number.
NIMC also acknowledged public concern around reports tied to XpressVerify and said it did not license XpressVerify. NIMC said it ordered an investigation into the matter and insisted that Nigeria’s national identity database had no breach.
Then, the Nigeria Data Protection Commission ordered a full investigation into allegations of unauthorized access to personal data of enrollees in NIMC’s database and referenced public concerns around XpressVerify. NDPC said it would work with relevant agencies to audit trails of the alleged unauthorized processing and monetization.
Paradigm Initiative later said it discovered platforms that claimed to sell access to sensitive personal and financial data for as low as N100. It specifically named AnyVerify and described data types it said the site offered. It also said it served pre-action notices to multiple agencies and sought legal redress.
NIMC responded again in June 2024. It denied compromise of Nigerians’ data and named several websites it called unauthorized “data harvesters,” including anyverify.com, while also stating that its infrastructure meets ISO 27001:2013 and that it complies with Nigeria’s data protection law.
This mix of reports and statements creates a clear reality that Nigerians should not ignore. Bad actors actively build services and portals around identity workflows. Even when NIMC denies compromise of its core database, people still face risk through partner misuse, weak controls, phishing, and illegal data brokerage claims.
What the Nigerian Data Protection Act demands
Nigeria’s Data Protection Act sets expectations that matter for identity systems because identity data sits at the top of the risk ladder.
The Act states goals that include safeguarding rights, promoting secure processing, and ensuring that controllers and processors handle data in a fair, lawful, and accountable manner. It also defines data security obligations and personal data breach handling within its structure.
The same Act also establishes the Nigeria Data Protection Commission and lists functions that include receiving complaints, conducting investigations, and collecting and publishing information related to personal data protection, including breaches.
This legal backdrop raises the bar for every agency and vendor that touches NIN data. It also gives Nigerians a stronger basis to demand answers, not just reassurance, after credible reports surface.
What can citizens do right now?
People cannot fix government DNS hygiene or vendor governance from their phones. Still, they can reduce personal risk with habits that match how most identity scams work today.
First, treat any “free correction” link shared on WhatsApp or Telegram as hostile until you confirm it through official NIMC channels. FIJ’s reporting shows that scammers have already copied NIMC processes to harvest sensitive details.
Next, keep your NIN slip and modification receipts safe and private. Do not post them online. NIMC has said vendors should not scan or store slips and that unauthorized sites can harvest and store data to build illegal services.
Also, follow ngCERT guidance on phishing. Avoid unexpected links and do not share bank or identity details with sites you cannot verify. Report suspicious attempts when you can.
Finally, use official modification paths and meet documentation requirements. NIMC lists required documents and steps for date of birth modifications, and it also explains its self-service portal flow. That process reduces “free form” edits and forces a paper trail.
What success looks like for NIMC and other agencies
Nigeria can improve this story without magic tools or big slogans. The best fixes are basic, disciplined, and visible.
Agencies should inventory every public subdomain, retire what they no longer use, and monitor DNS changes in real time. Web Security Lab’s PSC report lists clear recommendations on subdomain lifecycle ownership, monitoring, and decommissioning. Those actions reduce brand damage and shut down a common route scammers use to borrow trust.
NIMC and its ecosystem should also enforce consent-based verification end-to-end, then publish clearer public guidance on which platforms handle verification. NIMC has already positioned NINAuth as the official integration path and emphasized explicit consent. Wider adoption and strict vendor enforcement can reduce illegal “anyone can look up anyone” models.
NDPC should keep publishing outcomes. The public already saw NDPC order an investigation in March 2024 and promise public preliminary findings within seven days. Consistent follow-through builds deterrence and trust.
When Nigerians see faster remediation, public timelines, and real consequences for abuse, the tone on social media changes. People stop guessing, and they start trusting.
