The National Identity Management Commission (NIMC) on Tuesday said the country’s identity database was not breached by hackers.
There were speculations that Nigeria’s identity database had been hit by a cyber-attack.
The Director-General of NIMC, Engr. Aliyu Aziz, said in a statement that the commission, as the custodian of the foundational identity database for Africa’s most populous nation, has gone to great lengths to ensure the nation’s database is adequately secured and protected especially given the spate of cyber-attacks on networks across the world.
“Over the years, through painstaking efforts, NIMC has built a robust and credible system for Nigeria’s identity database. The Commission and its infrastructure are certified to the ISO 27001:2013 Information Security Management System Standard which are revalidated annually”, Aziz was quoted by the statement signed by NIMC’s head of corporate communications, Kayode Adegoke.
He said the agency had ensured maximum security of its systems and database because of the critical nature of the identity data which the Commission collects, manages and maintains as critical assets for the country.
He assured the public that it will continue to uphold the highest ethical standards in data security on behalf of the Federal Government and ensure compliance with data protection and privacy regulations.
Aziz said the commission does not use nor store information on the AWS cloud platform or any public cloud despite the usefulness of the NIMC Mobile App available to the public for accessing their NIN on the go.
He said the NIMC MobileID application has no database within the app, nor does it store information in flat files. The Commission has made this app available to the public to reduce and eliminate any delay or challenge(s) in accessing one’s NIN.
“The public should be aware that the possession of a NIN slip does not amount to access to the National Identity Database, but that the NIN slip is just a physical assertion of a person’s identity. Under the data protection regulations, no licensed partner/vendor is authorized to scan and store copies of individuals NIN slips but rather authenticate the NIN using the approved and authorized verification platforms/channels provided.
“As part of its policies to protect personally identifiable information stored in the National Identity Database, the public may recall that the Ministry of Communications and Digital Economy through NIMC launched the Tokenization features of the NIN verification service. This solution is to safeguard the personal data of individuals and ensure continuous user rights and privacy,” he said.
On Monday, a hacker identified as Sam, claimed he successfully found a bug on the server of NIMC, revealing how easy it was for him to breach the server and access the personal information of millions of people.
He said he came across these data while sourcing for something else to help him decompile some applications he was working on.
“As usual, I am hunting for something in the source code of the application, As the scope is huge, So I collected all the applications and decompiled them all at once with apktool with this command: find . -iname “*.apk” -exec apktool d -o {}_out {} \;” he said.
“Now I started to look for something juicy in decompiled files, but as there are about 50+ applications, I can’t look at each of them manually right? I just got an idea of nuclei, and boom I knew there are templates for android applications, I just downloaded them and, started nuclei on the whole directory,
“After 18–19 mins of a run, Nuclei gave an output saying S3 Bucket Found, I tried to access it via AWS CLI, and it’s like: Acess denied, No luck there.
“Then after a few mins of running, I’ve got one more output for s3 bucket, I casually tried to access it without any hope, and damn! the s3 bucket is full of juice.
“And I was just like: I just simply got access to their data of internal files, Users, and everything they have, I can download everything, Even the whole bucket.”
The hacker also posted the data he obtained in the process, a copy of the national identity slip from NIMC but defaced it to hide vital information.
Hours later, the hacker recanted that the leaked sever was not from any Nigerian portal but Tecno Mobile.
He said he reported the case to Tecno, and the bug fixed.
He also edited the article published on Medium and removed a copy of the national ID posted as a screenshot in the story but failed to explain why he mentioned Nigeria’s ID database in the earlier version.
