How Edo State Government Published Loan Applicants’ BVNs, NINs and Bank Accounts Online

Edo State Government Published Loan Applicants’ BVNs, NINs, and Bank Accounts Online

The Edo State Government unlawfully published spreadsheets containing sensitive personal data of residents who applied for micro, small and medium enterprise (MSME) loans, an investigation by the Foundation for Investigative Journalism (FIJ) has revealed.

FIJ reviewed two separate files uploaded to the state’s official website in December that exposed personally identifiable information of applicants. The datasets included home addresses, email addresses, phone numbers, dates of birth, bank account numbers, Bank Verification Numbers (BVNs), and National Identification Numbers (NINs).

The files were published by Donatus Ighekume, the administrator of the Edo State website, and listed names of loan applicants as well as Loan amounts disbursed.

One file, titled LAPO First Disbursement List under DLI 4, contained names, addresses, disbursed amounts, BVNs, NINs, and account numbers. Another document, EDSG LAPO MSME Sept Report – First Batch, listed details of 147 people, including names, addresses, BVNs, and dates of birth.

PAY ATTENTION: Follow Edotoday Channel on WhatsApp to never miss any Update. Click Here to  JOIN US NOW to get news that matters at your convenience!!

Linked to World Bank-Backed SABER Programme

The disclosure appears deliberate, as the files were uploaded as part of Edo’s Delivery-Linked Indicators (DLIs) submissions for the States Action on Business Enabling Reforms (SABER) programme.

SABER is a $750 million results-based programme (2023–2025) in which all 36 states and the FCT signed up to implement reforms aimed at improving Nigeria’s business environment. States only receive disbursements after independent verification of reforms in land administration, digital infrastructure, fibre-optic rollout, investment promotion, and government service delivery.

By 2025, at least 28 states had reportedly received between $1 million and $4 million each for meeting initial benchmarks. DLI 4, under which Edo uploaded the spreadsheets, focuses on improving the investment promotion environment.

Legal Breach of Data Protection

Publishing raw datasets containing BVNs, NINs, addresses, and dates of birth exposes citizens to identity theft, fraud, phishing, and even physical risks.

The Nigeria Data Protection Act (NDPA) 2023 obligates data controllers, including state governments, to process personal data lawfully and securely.

• Section 24(2): “A data controller or data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession.”

• Section 25(1): “Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or disclosure.”

Posting sensitive information in public spreadsheets violates principles of the Act, including purpose limitation, data minimisation, and confidentiality.

The National Information Technology Development Agency (NITDA) also requires government websites to ensure secure collection, transmission and storage of user information, alongside regular security reviews.

Clarification from Edo Government

Responding to FIJ’s findings, Bugie Okhuemoi, Special Adviser on Media and Publicity to Governor Monday Okpebholo, said the documents were uploaded under the immediate past administration.

“At the time this occurred, the current government had not assumed control of the said website,” Okhuemoi explained, noting that Governor Okpebholo only took office in November 2024, weeks before the December publication.

PAY ATTENTION: Follow Edotoday Channel on WhatsApp to never miss any Update. Click Here to  JOIN US NOW to get news that matters at your convenience!!

Credit: Foundation for Investigative Journalism (FIJ)