imcverify.ng, a private website, is selling Nigerians’ personal data for as little as N150, despite having no formal affiliation with the National Identity Management Commission (NIMC).
FIJ found that anyone can retrieve another person’s National Identification Number (NIN) record using only their phone number.
The method is straightforward. Payments are made either to an account generated uniquely for the buyer or directly to the administrator’s account. The page is operated by “Timzytech Developers” and offers NIN printouts for between N150 and N280.
The service also advertises NIN modification, Bank Verification Number (BVN) retrieval and other unauthorised identity services.
NOT LICENSED BY NIMC
FIJ tested the platform using the phone numbers of three consenting Nigerian journalists and it worked successfully.
Egalitarian Voice confirmed thatN imcverify.ng and Timzytech are not listed among NIMC’s licensed handlers of Nigerians’ identity data. They also do not appear in the commission’s register of NIN verification clients, which includes banks, telecom operators and other approved data processors.
Despite presenting itself as a solution to delays in the identity management system, nimcverify.ng is not recognised as a Front-End Partner (FEP), the category of third-party service providers officially licensed by NIMC to handle enrolment at the grassroots.
WHO IS RECORDS ARE REDACTED
The domain registration records show how new and deliberate the operation is. WHOIS data shows that nimcverify.name.ng was registered on May 22, and it is set to expire on May 22, 2026.
It was registered through Truehost Cloud, a Kenya-based registrar with a Nigerian business address listed as Ryanada Place, Cell Apartment, Highpoint, Juja.
The registrant’s name, street address, and contact details have been redacted for privacy, but the country field is set to Nigeria. Administrative, technical and billing contacts are all also listed under Nigeria, with privacy protection in place.
ALSO READ:
EXPLAINER: Dangers of Revealing ACCOUNT DETAILS to Secure Loans Online
2027: Why Arapaja Offers Oyo the Leadership Edge, Not a Learning Curve || By: ALAYAKI ONA-ARA
How to Register Your Business/Company With Corporate Affairs Commission (CAC)
https://wa.me/qr/IYYFWQX57SR4M1
The website’s hosting points to Cloudoon’s infrastructure, with three name servers — ns1.cloudoon.com, ns2.cloudoon.net, and ns3.cloudoon.org. The domain status is “active” as of the last update on Tuesday.
This is not the first time such illegal data vending platforms have surfaced. FIJ previously documented how NINs, BVNs, photographs and other personal identifiers were being openly sold online, with four complete profiles purchased for just N560.
DANGERS OF DATA EXPOSURE
The dangers of this are wide-reaching. Criminals with access to a person’s NIN, BVN, address, and phone number can steal their identity, open bank accounts, take loans or commit fraud in their name.
With a BVN, they can bypass some banking verification processes and carry out unauthorised withdrawals.
The more data points criminals can combine, the easier it becomes to build a full profile for targeted scams, phishing attacks and social engineering schemes.
Victims could also be harassed, stalked or kidnapped if their home addresses are compromised, or face reputational ruin if their details are used in criminal activity. Some may even be blacklisted from banking systems over fraudulent transactions carried out in their name.
WHAT THE LAW SAYS
Section 14 of the NIMC Act, 2007, gives the Commission sole responsibility for establishing and maintaining the National Identity Database.
Section 26 restricts access to personal data to instances where the individual has consented, a court has ordered it, or regulations permit it. Section 28 makes it a criminal offence to access, disclose, sell, or use identity information without lawful authority, carrying a penalty of at least N1 million in fines and/or a minimum of three years in prison.
The Nigeria Data Protection Act (NDPA), 2023, is equally firm. It requires that personal data be processed lawfully, fairly and transparently, and only on valid legal grounds such as consent, contractual necessity or statutory obligation.
In the event of a data breach, the Act requires notification to the Nigeria Data Protection Commission (NDPC) within 72 hours, and to the affected individuals if the risk to them is high. Breaches can attract penalties of up to N10 million or 2 per cent of a company’s annual gross revenue.
For now, nimcverify.ng remains another open doorway to Nigerians’ most sensitive identity information, operating behind a shield of domain privacy while its operators continue to trade in the private lives of millions.
Credit: FIJ
