NIMC Server Hacked, As Millions of Nigerian NIN Stolen

Over three million National Identity Numbers of Nigerians have been stolen after a hacker known only as Sam broke into the server of the National Identity Management Commission.

Revealing how easy it was for him to breach the NIMC server and access personal information of millions of Nigerians in an article he shared on infosecwriteups.com, the hacker boasted that he got access to “juice” on the Nigerian Government agency’s server and that he could go ahead to do whatever he desired with other sensitive data at his disposal.

As the technical hitch that has bedeviled the portal of the National Identity Management Commission (NIMC) persisted yesterday, it is feared that the portal may have been compromised by hackers, data security experts have said, However, Engr. Aliyu A. Aziz DG/CEO is yet to commit.

It was revealed that telcos had continued to turn back subscribers seeking to retrieve lost, damaged or stolen SIM cards due to their inability to verify their customers’ NIN.

Responding to complaints from Twitter users, MTN Nigeria said it could not process SIM swap and update requests due to challenges with the NIMC portal.

“We are sorry we currently cannot process SIM swap and update requests due to external challenges. We appreciate your understanding and will post an update once this has been resolved,” MTN said.

Agencies such as immigration, police and road safety are among government agencies affected, according to officials.

Staffs of the Nigeria Immigration Service who spoke to Leading Reporters, that their are people who have been waiting for over 7 months for their NIN verifications to drop for international passport processing.

Displaying a defaced National Identity card of a Nigerian alongside the article, the hacker said, “I’ve got one more output for s3 bucket, I casually tried to access it without any hope, and damn! The s3 bucket is full of juice.

“I just simply got access to their (Nigeria) data of internal files, users and everything they have. I can download everything, even the whole bucket. I am sure that the bucket is full of juice.

“I wanted to look at more files but as we have to follow bug bounty rules I stopped doing more. 

“I’ve got one more s3 bucket with nuclei and it also contained about 4–5 gigs of data.

“I’ve rewarded 5250$ for only one report and 0$ for the second one even it contained so much sensitive data,” the hacker wrote in the article that has continued to generate reactions from some Nigerians on Twitter especially tech enthusiasts.

A user on the micro-blogging platform with the handle @isidags while reacting to the development said, “I’m shocked Nigerians are shocked.

“Seems you people don’t know the government and country you’re involved with.”

Another user known as @boluxxxx while commenting said, “Jokes aside, this is enough reason for Buhari to sack Pantami.”

Berating Nigeria’s weak cyber security, another Twitter user, @bespokeKENErd, said, “It was only a matter of time before this happened.

“Nigeria’s information security is ridiculously lax. So careless with sensitive data.”

@St_Gothica while reacting to the issue said, “This is exactly why I never wanted to do the NIN registration. Delayed it as long as I could.”

Another Twitter user, @The_Jonathanian, said, “Somebody should tell Sheik Pantami that the most sensitive data of Nigerians under his care have been compromised and floating in the wild.”

The hacking of the NIMC server has not only exposed Nigeria’s weak cyber security but also highlighted the danger the country’s residents and investments were currently under.

The latest cyber attack comes less than two months after the Nigerian Communications Commission in November 2021 issued a warning that an Iranian hacking group was planning to carry out cyber espionage across Africa.

A statement from the agency had further disclosed that the hackers were targeting telecoms, Internet Service Providers, and Ministries of Foreign Affairs in Nigeria and other African countries.

The incident also comes months after the President Muhammadu Buhari administration while mandating Nigerians to enroll for National Identification Number claimed that it was going to stop crimes in the country including those perpetrated via the Internet.

Speaking during the launch of the National Policy for the Promotion of Indigenous Content in Nigerian Telecoms Sector and Revised National Identity Policy for SIM Cards registration in May 2021, President Buhari said, “The NIN will cover one of the weaknesses in our security structure. We will be able to easily identify and know the personality of Nigerians.

“We will identify people easily, including the crooks.”

Assuring Nigerians of how vital the new system would be to crime fighting in the country, Minister of Communications and Digital Economy, Isa Pantami, in June 2021, claimed that incidents of terror such as banditry and kidnapping in the country had significantly reduced as a result of the insistence by government for persons in Nigeria to register for NIN.

Pantami went further to say that the improved database will protect Nigerians more than ever before.

But despite those assurances, the latest attack has exposed the failure of the President Buhari administration to protect Nigerians from cyber criminals.

Over 60 million Nigerians had so far been captured on the national identity database, according to the NIMC. 

NIMC denies hacking

NIMC debunked the notion that its portal has been hacked, but that the portal was only undergoing routine maintenance.

Over 60 million Nigerians and legal residents of the country have been registered and given their unique identity numbers otherwise known as NIN.

We further reports that some banks and telecommunication operators in the country have refused to attend to some customers since last week due to the “maintenance” being carried out on the identity portal. 

The federal government has made it compulsory for Nigerians to supply their NIN before they can access certain services offered by some private companies and government agencies.

When the NINs are supplied, the companies and agencies will then verify the unique numbers using the NIN verification portal of NIMC. 

However, NIMC’s portal has been down since last week and the development is said to have affected the issuance of international passport, account opening at banks and SIM replacement by telecommunications operators.

NIMC, in a statement on Monday by its spokesperson, Kayode Adegoke, said it was an unreasonable action for the organisations to shirk their duties.

The commission said these organisations had an alternative platform through which they could render services. The alternative platform according to NIMC is TOKENISATION. “Tokenization is working!!!”. Declare NIMC.

Adegoke, who is the NIMC Head Corporate Communications, said:  “Even though the NIN verification service (NVS) might be down due to maintenance by one of our service providers of its infrastructure, the alternative platform – TOKENISATION is up and running. No one should be debarred of any service on the guise of NIN not being verified”.

“The NVS issue has not in any way affected our other operations and services-Enrollment/issuance of NIN and other services going on”.

“There is the need to ask questions from the Telcos, The Nigerian Immigration Service (NIS), Banks and others on the reason for turning down customers in the guise of NIN not being verified due to the temporary unavailability of the NVS, while the alternative platform- Tokenization is working!!!

“NIMC NVS platform is not the only verification platform available for use, but Tokenisation which protects the identity of NIN holders is also up and running!!!

“And for accurate information, it is not a NIMC problem, rather, a government service provider has embarked on maintenance of its infrastructure, which has affected most government agencies that rely on it for the provision of IT service.”

Galaxy Backbone contradicts NIMC claims on maintenance

Galaxybackbone, a government agency which mandate is to store all data for MDAs and provide backup for their data, apologised for the temporary service outage on the network.

“The management of Galaxy Backbone Limited (GBB) regrets the temporary outage of some of its services and the inconvenience being experienced by some of its customers across the country”, the agency said in a statement signed by its Head of Communications, Chidi Okpara. News Credit: saharareporters/dailytrust

Get real time updates directly on you device, subscribe now.