US-based cybersecurity company says hacker sells NIMC database for $1100, NIMC denies

If you have registered your details with the National Identity Management Commission, NIMC, there is a possibility that hackers in Russia are trading your sensitive data (alongside over 37 million Nigerians) for  $1,100. 

This is the claim of a report by a US based digital security company, Digiss. The company’s website says it provides business-aligned cyber security consulting and managed services.

Digiss says in the report that on getting information of an alleged breach of sensitive data of over 37 million Nigerians with the NIMC, it investigated the data breach and published an initial report in October to call the attention of the NIMC. 

Despite raising alarm on the breach, the NIMC ignored this report alongside suspicion from other quarters. 

“Last week we reported an alleged breach of NIMC’s database; containing over 37 million sensitive records of Nigerians. The objective was to get NIMC to promptly investigate this news item; and take appropriate remedial actions where required. But we heard that NIMC chose to ignore the report.” 

When Digiss saw that the NIMC ignored the report, it dug further to get more evidence of the data breach and found “overwhelming evidence that supports the claim.”  

The report says that the hacker exploited the backend of buggy NIMC’s mobile app that has been pulled to extract the data. The mobile app had several security weaknesses that made the hack easy. 

Digiss says that it obtained sample data from the hackers who now sells the full records for over $1100. 

“And so we dug further to determine the veracity of the claim; and we found overwhelming evidence that supports the claim. Every key attribute of the NIN slip is contained in the database dump.

“Recall that several news outlets warned not to use the NIMC app in August 2020. We believe that the attacker compromised the backend database of the buggy NIMC’s mobile app; which had since been pulled. We obtained sample data; from the hacker who wants over $1100 for the full records. We found several security weaknesses; which may have been easily exploited by miscreants to breach NIMC’s records. But that information will remain highly confidential for obvious reasons.”

NIMC denies claim

The National Identity Management Commission (NIMC) has denied the data breach of the National database and said the claims are ‘false, a hoax and of mischievous intent’.

The NIMC disclosed this in a statement signed by Head, Corporate Communications, Kayode Adegoke on Wednesday. 

The commission said it investigated the claims and discovered that the database scheme presented by the alleged hackers did not tally with the existing scheme of NIMC records.

The statement reads: 

The National Identity Management Commission (NIMC) would like to bring to the attention of the members of the general public that the purported breach of the National Identity Database going round the social media is false, a hoax and of mischievous intent. 

The NIMC would like to assure the public that there have been no such breaches or incidents, investigations on the alleged data dump were found to be non-existent in the National Identity Database. 

The Commission investigated the data breach claim and found out that the database schema presented by the adversary does not tally with the existing schema of NIMC records. The data being posted by criminals purporting to contain citizens’ information is fake. 

The NIMC guarantees the security of the National Identity Database through various layers of security and can assure that no data was breached. 

The members of the general public are, therefore, enjoined to refrain from spreading false reports on the purported data breach.