Published 5th Jul, 2025

By Timileyin Akinmoyeje

It started with an old Reddit post, now censored by the administration of the forum app, pointing out a data loophole in the website of the Nigerian Immigration Service (NIS).

The post, made in 2023 by an individual named Ihex, detailed how the Nigerian High Commission’s passport renewal site could be manipulated to expose personal details of applicants.

This detail-oriented user had somehow found that by tweaking a URL parameter encoded in base64, anyone could access the appointment dates, tracking numbers, email addresses, names and phone numbers of other applicants.

Curious, and admittedly sceptical, I decided to try something similar. After all, it fits into my ongoing audit of data handling practices by Nigerian public institutions. After acquiring a layman’s knowledge of the risks, I visited the Nigerian Immigration Service’s appointment portal.

According to Nigeria’s 2023 Data Protection Act, data controllers must ensure personal data is stored and processed securely. The point of my experiment was to find out what “secure” really looks like on a federal government website.

The answer I found in this case, was not very reassuring.

BASIC URL EXPERIMENTS WITH DAMNING RESULTS

I accessed an appointment page (pdf) with the details of a known person. This is something anyone who has ever booked a session with immigration can access. The URL, as expected, ended in a base64 string.

I decoded it out of curiosity and saw that it resolved to a simple number. To test if the loophole my lede had shown still held true, I added one to the digits in the string. Then another. Each time, the page refreshed and loaded a new set of personal details: different names, emails, and appointment data just sitting there, exposed.

There were no security warnings. I did not get notified that access had been denied. There were no authentication prompts. All I saw were open files waiting to be found by anyone interested enough to look.

NAMES, DATES AND A SYSTEM TOO EASY TO BREAK

I stopped after five tweaks due to ethical considerations. But within those five URL changes, I had pulled up PDF documents containing appointment confirmations and sensitive data of real people.

Among them was Osikwemhe Peter, who according to his slip, was scheduled for an appointment at Benin in September 2022. There was also Abubakar Fadima Salisu, with a similar timeline, who must have visited the NIS office in Zaria.

There were other names like Oboigba Liberty, whose appointment was set for October that same year. I also found that Ogijuifor Edmun Kamisochuwku, had a scheduled date back in January 2021.

The documents varied slightly in layout but carried consistent details: full names, appointment locations, tracking numbers, and contact information, all of which could be mined by anyone with little technical know-how.

THE DANGER OF ‘JUST AN EMAIL’

On the surface, it may not seem like a big deal. These appointments are past events, right? But even outdated records carry some digital weight.

Names and email addresses are not harmless. They are personally identifiable information (PII) which, once exposed, can be exploited in ways most people do not immediately consider.

I know firsthand what can happen when an email address gets into the wrong hands. Scammers can use it to craft believable phishing messages. Some harvest emails to sell to spammers.

Others might cross-reference the information with existing data breaches, then launch targeted attacks or impersonation attempts. With just a few data points, an attacker can try to reset your accounts or deceive your contacts. In the context of a sensitive government process like passport issuance, the stakes are even higher.

WORST CASE SCENARIOS ARE POSSIBLE

Beyond the digital risks, there is the potential for offline abuse. If bad actors can access appointment details, they could cancel or reschedule someone’s slot out of malice or for money. This is not speculation. It already happened in other parts of the system.

In October, a man in Delta State paid N180,000 for a 10-year passport renewal. But when he showed up for his biometric capture, officials told him the slip had been altered to show a five-year booklet instead. To “fix” the issue, an immigration officer demanded an extra N40,000 on the spot. His appointment, in effect, had been hijacked for profit.

Similarly, in 2022, Daybreak Newspaper exposed how a Passport Control Officer in Kogi State hoarded passport booklets and forced applicants to pay N30,000 under the table while legitimate appointment slots went unused.

These are some of the consequences of weak controls, both online and offline.

LAWS SAY THIS SHOULD NOT HAPPEN

Nigeria’s 2023 Data Protection Act was introduced to curb this kind of careless handling of citizens’ information. According to section 39(1) of the legislation, any organisation that collects or processes personal data must do so in a secure, transparent and accountable way.

Agencies like the Nigerian Immigration Service are data collectors and they must ensure that no user’s private information is exposed, certainly not through something as easily avoidable as an unsecured URL.

When a breach does occur, the law requires that victims be informed and, in some cases, compensated. But in practice, these breaches are often quietly ignored, or worse, completely unnoticed.

This was not a hack. I did not inject code. I did not crack passwords. I only replaced digits in a string of characters on a government-owned website. That was all it took to stumble upon the personal records of fellow Nigerians.

This loophole is the kind of vulnerability that should have been patched years ago. The kind that tells you, in plain terms, that despite all the talk of “digital transformation”, many of Nigeria’s public systems still treat data privacy as an afterthought.

This is not the first time the NIS has been found wanting in keeping to data protection standards. In October 2024, the agency came under fire for publishing a page of uncollected passports. The page had the documents, names, addresses and phone numbers of the passport owners. It would later get removed after the backlash.

Meanwhile, after making these findings, I decided to inform the Nigeria Immigration Service. I attempted to call the agency through the phone number listed on its website. Typical of many government agencies, the phone lines were switched off.

On Friday, I sent an SMS message and an email to the agency to bring their attention to this issue. At press time, they had provided no response.

Share on Social Media