The website of the Foundation for Investigative Journalism (FIJ) has suffered multiple coordinated cyberattacks traceable to the National Identity Management Commission (NIMC) headquarters in Abuja.

The Distributed Denial of Service (DDOS), which briefly knocked FIJ’s website offline, started on Thursday morning.

DDOS attacks happen when attackers flood a website with fake traffic, usually from many hacked computers (a botnet) to overwhelm the server. As a result, the website would be unable to handle real visitors and ultimately shut down after continuous barrage.

The attacks are coming after FIJ published a series of reports exposing registered companies and private individuals illegally trading Nigerians’ NIN data for cheap on the data black market.

“When I checked, it wasn’t loading either, so I contacted the service provider. In fact, they were the ones who first discovered the issue,” said the head of FIJ’s web team.

In the last 72 hours, over 3 million requests on the website server resulted from hits from the IP address.

According to his technical analysis of the situation, the service provided identified an IP address that had overwhelmed FIJ’s website with over 50,000 requests within an hour. A deeper analysis eventually revealed the scale of the attack.

The requests were originating from mostly unknown devices, operating systems and browsers

“In the last 72 hours there were about 2 million requests. Each hit is a real request because once you visit the site, 15–20 scripts are loaded, each as a separate request.”

Most of the requests came from undefined devices and browsers, a sign of a coordinated cyberattack.

“The same IP address was behind it, and when I checked the IP, both on Cloudflare and on What’s My IP Address, it showed NIMC,” he added.

Further findings revealed that the IP address coordinating a DDoS attack on the fij website is coming from the NIMC HQ in Abuja.

FIJ’S DATA BREACH REPORTS

FIJ has been documenting instances of black market sites illegally selling the data of Nigerians at cheap prices since 2024. In March 2024, FIJ reported how Xpressverify, an unlicensed website, monetised NIN recovery and printing from Nigeria’s database.

The report generated impact immediately and forced the NIMC and other agencies regulatory data privacy to launch investigations.

But in July 2025, FIJ again exposed NINPrint, a platform operated by Abbeytech Ventures, for selling NIN records for as low as N180 per request. FIJ tested the platform by purchasing the data of four Nigerians who consented to the process.

In another instance on August 8, FIJ reported how NINCard had been illegally offering ID services since October 2023 without a licence. The report also revealed how the NIMC had been aware of the website’s activities for over a year but did not shut it down.

Four days later, on August 12, FIJ also reported how nimcverify.ng was selling Nigerians’ NIN records for N150 to anyone with just a phone number.

FIJ’s most recent story in the series detailed how IloTech, a virtual top-up platform, was secretly selling Nigerians’ NIN records for as low as N180 each. FIJ was able to obtain the records of a Nigerian minister and a senator through the site.

All of these illegal websites were taken down after FIJ’s story. The speed of the impact ranged from between less than 24 hours to seven days.

WHAT IS THE JOB OF THE NIMC?

The National Identity Management Commission (NIMC) was created under the NIMC Act No. 23 of 2007 to establish, own, operate, maintain, and manage Nigeria’s national identity system.

According to Section 5 of the Act, NIMC’s core mandate is to create and maintain the National Identity Database, register all Nigerian citizens and legal residents, and assign each person a National Identification Number (NIN).

It is also responsible for issuing General Multi-Purpose Identity Cards linked to the NIN, ensuring that identity records are kept up to date, and collaborating with other agencies like INEC, Immigration, FRSC, and banks to make the NIN usable across public and private services.

The law also emphasises the protection of personal data. Section 26 makes it clear that all information in the National Identity Database must be kept confidential.

Sections 14 and 27 prohibit the unauthorised use, disclosure, or sale of identity information. NIMC is therefore required to manage the system not just for registration but also with strong safeguards for privacy.

The Act sets out clear punishments for those who attempt to compromise the system. For example, Section 29 provides that anyone who gives false information during registration can face up to three years in prison or a fine of N100,000, or both.

Under Section 28, using or possessing another person’s NIN or ID card without authorization carries the same penalty. More serious breaches are addressed in Section 30, which prescribes up to ten years in prison or a fine of N10 million, or both, for anyone who unlawfully accesses, leaks, sells, or misuses identity information stored in the NIMC database.

NO PUNISHMENTS SO FAR

Both the NIMC and the Nigeria Data Protection Commission, the agency responsible for data privacy regulation in Nigeria, were made aware of the published FIJ reports. But none of the perpetrators has been brought to book.

As of press time for instance, FIJ can confirm that Timzytech, the individual who managed nimcverify, has simply switched to a new page to continue selling Nigerians’ data for cheap.

Since 2011, Nigeria has spent about $630 million trying to build a functional national identity system. That year, the federal government under Goodluck Jonathan approved N30.66 billion to provide electronic ID cards to all Nigerians above the age of 18.

By 2019, the country secured a $433 million World Bank-backed grant supported by the French Development Agency (AFD) and the European Union. The project’s goal was to register at least 148 million Nigerians by mid-2024 and strengthen the country’s identity management infrastructure.

This database is still porous.