Legal and data protection experts have raised serious concerns after revelations emerged that over 12,000 Nigerian youths are involved in selling sensitive personal data, including Bank Verification Numbers (BVN) and National Identification Numbers (NIN), to fintech companies across the country.

The incident, now under investigation by the Economic and Financial Crimes Commission (EFCC), has sparked widespread condemnation and exposed what experts describe as major gaps in Nigeria’s data protection regime, institutional negligence, and public awareness.

Legal Violations and Regulatory Failure

In exclusive interviews with Nairametrics, data privacy lawyers argue that the development may be a violation of the Nigeria Data Protection Act (NDPA) 2023, especially its Section 39, which mandates that data controllers — including government institutions like the National Identity Management Commission (NIMC) and the Nigeria Inter-Bank Settlement System (NIBSS) — must protect data in their custody from unauthorized access, misuse, or commercialization.

“There have been multiple data leaks from the same data controllers, i.e., NIMC and NIBSS,” said Barr. Oladipupo Ige, Director of Policy at the Data Privacy Lawyers Association (DPLAN).

“They have failed to notify the public of these breaches or offer any mitigation steps to affected individuals — a clear violation of the NDPA.”

Ige warned that the public nature of some of the illicit data-sharing platforms further undermines claims of data security, adding that "cybersecurity lapses and lack of transparency" have made Nigerian citizens vulnerable.

The Legal Backbone: NDPA and the Constitution

Barr. Aloysius Gapa Paul of AAGU Legal emphasized that Section 37 of the 1999 Constitution guarantees every Nigerian's right to privacy. This right is reinforced by the NDPA 2023, which governs how personal data is processed and protected.

He stated:

“Any unauthorized sale or sharing of BVNs and NINs — especially to fintech companies — without proper consent or legal basis constitutes a serious breach of the NDPA.”

Paul added that if such data was accessed through insider compromise or poor data security infrastructure, both NIMC and NIBSS could be held legally liable. He called for criminal prosecution where necessary to deter future abuse.

Fintech Platforms Under Scrutiny

Experts also turned their attention to fintech platforms, accusing them of lax Know-Your-Customer (KYC) protocols and, in some cases, outright complicity.

Barr. Uche John Paul said that by failing to verify the source of user data, some fintechs may be aiding and abetting identity fraud.

“Fintechs must go beyond surface-level checks. Accepting stolen or fraudulently obtained KYC data puts them on the wrong side of the law,” he said.

Public Backlash and Government Responses

Public outrage intensified following the EFCC's confirmation of a growing fraud network involving young Nigerians who buy personal data from victims for as little as ₦1,500 and sell them to fintechs for up to ₦5,000.

The EFCC disclosed that the stolen data is being used to open fake accounts, carry out investment scams, and engage in fraudulent financial activities.

In response, the NIMC disclaimed responsibility, stating:

“NIMC will not be held responsible for any personal information shared voluntarily by individuals… Nigerians have been warned not to share their NINs with unauthorized persons or platforms.”

The agency urged the public to use the NINAuth App to verify and manage their personal data securely.

What Happens Next?

Legal experts and privacy advocates are now calling for a multi-agency crackdown involving the EFCC, the Nigeria Data Protection Commission (NDPC), and other regulators to:

  • Prosecute those involved in unlawful data access

  • Hold fintechs accountable for receiving stolen data

  • Audit NIMC and NIBSS security systems

  • Raise public awareness on data privacy risks

“This is not just about personal data; it’s about national security,” Ige concluded.

As investigations continue, the case is rapidly becoming one of Nigeria’s biggest cybersecurity and data protection crises, shining a spotlight on institutional weaknesses, poor regulatory enforcement, and the urgent need for a data-conscious culture in both public and private sectors.