Gombe State has made a decisive shift toward digital governance in its effort to boost internally generated revenue (IGR), adopting a digital payment system to simplify tax collection and block leakages. While the reforms have delivered measurable revenue gains, weaknesses in data protection expose taxpayer information to risk, highlighting the promise and peril of digital public infrastructure (DPI) at the subnational level.
Nigeria loses an estimated $18 billion annually to revenue leakages driven by tax evasion, manual collection processes, and weak administrative systems, according to the Federal Ministry of Finance. As a result of this, Gombe State Internal Revenue Service (GIRS) deployed a shared digital revenue platform that enables electronic payments, online registration, and automated remittance across government agencies.
Rather than operating as a standalone IT project, the system functions as public digital infrastructure: a reusable, government-backed platform that supports revenue collection, public finance management, and service delivery.
“With all the support from His Excellency, the government should expect increased revenue and the people of Gombe State should expect improved service delivery from us”, Aisha Adamu, executive chairperson of Gombe State Internal Revenue Service, pledged.
She noted that the service exceeded its 2023 revenue target by 15 per cent, generating over ₦15 billion, the highest IGR recorded in the state at the time.
Building on that momentum, GIRS set an ambitious ₦22 billion target for 2024, nearly doubling the earlier benchmark.
In 2023, Adamu outlined plans to expand access to digital tax services by offering online payment options and establishing additional tax offices across the state.
“To bolster trust and efficiency, we plan to leverage modern technology for enhanced revenue collection,” she said.
Digital payments and public infrastructure
At the core of Gombe’s reforms is a digital payments layer, one of the foundational components of Digital Public Infrastructure alongside identity and data exchange.
Beyond the tax office, the platform routes payments from hospitals and multiple government agencies directly into state accounts, limiting human discretion and improving auditability. The system represents a shift from manual processes to a unified, reusable public digital backbone, one of the defining characteristics of digital public infrastructure.
Hospitals in Gombe now use the same system to collect fees for consultations, laboratory tests, admissions, and other services, illustrating how a single digital backbone can be reused across sectors.
By 2026, GIRS said the adoption of digital systems had significantly expanded the tax net and improved remittance discipline. Between 2019 and 2025, Gombe’s IGR grew from ₦6.8 billion to ₦26.5 billion, reflecting improved compliance and direct payment into government accounts. Annual collections rose steadily: ₦6.8 billion in 2019; ₦8.4 billion in 2020; ₦10.5 billion in 2021; ₦13.1 billion in 2022; ₦15 billion in 2023; ₦20.7 billion in 2024; and ₦25.6 billion in 2025.
A study found a significant relationship between ICT availability and increased revenue collection, as well as a positive correlation between ICT adoption and ease of doing business within GIRS.
Creating revenue tribunal
Beyond technology, institutional reforms also played a role the establishment of a revenue recovery tribunal strengthened enforcement and signalled political backing for compliance.
Gombe state governor, Muhammadu Inuwa Yahaya has repeatedly argued that curbing corruption among revenue collectors is central to fiscal sustainability.
“One issue of great concern is the disturbing corrupt attitudes and habits of revenue collectors, a lot of revenue is being lost as a result of nonchalant attitude and corrupt tendencies of tax collectors.
“It is my belief that the tribunal will take necessary steps to address these issues and support the state’s Internal Revenue Service in its bid to generate more revenue for the development of the state,” he said.
Where the system falls short
Despite these gains, the digital tax system has a critical weakness: data protection. In 2025, cybersecurity experts raised alarm after a threat actor attempted to sell access to GIRS systems on a dark web forum for $500. The incident highlighted gaps in security-by-design and raised questions about how taxpayer data is governed within the state’s digital infrastructure.
The possibility that criminals could access backend revenue systems, potentially exposing financial records and digital wallets highlights what experts describe as weak enforcement of the Nigeria Data Protection Act (NDPA) 2023.
This concern is not isolated. Nigeria has recorded multiple data privacy failures, including breaches at the National Identity Management Commission (NIMC), where citizens’ National Identification Numbers (NINs) were reportedly sold online like peanuts. The exposure of Tax Identification Numbers (TINs) carries distinct risks, as TINs are permanent identifiers linked to individuals’ financial histories and obligations.
The challenge is compounded by design flaws in the GIRS portal itself. A basic name search on the platform reveals full TINs of registered taxpayers, an identifier classified as personal and potentially high-risk data under the NDPA 2023. Such unrestricted access raises serious concerns about consent, proportionality, and safeguards in a state-run digital public system.
A search on the portal revealed names and TINs of Justice Halima Sadiya Mohammed, Gombe State Chief Judge, Hon. Abubakar Luggerewo, Speaker House of Assembly, including public and corporate organisations such Economic and Financial Crimes Commission (EFCC), Ministry of Finance, United Bank for Africa, Access Bank, and Ministry of Information.
However, the Gombe State Internal Revenue Service did not respond to WhatsApp messages sent to it regarding this findings as at press time.
Why sub-national DPI failures matter nationally
Nigeria’s national digital strategy envisions interoperable government platforms where data flows across federal and state systems for taxation, identity verification, social services, and payments. As these connections are activated, insecure or poorly governed state-level systems risk becoming entry points for breaches that can compromise national platforms demonstrating why DPI governance cannot be uneven across tiers of government.
While digital taxation is critical for expanding the tax base, reducing leakages, and improving service delivery, weak privacy protections risk exposing citizens to identity theft, financial fraud, and surveillance outcomes that can erode trust and undermine compliance.
This failure is particularly striking given that GIRS was ranked fourth in Nigeria for digital tax administration in 2025. Experts say DPI success is measured not only by efficiency or revenue gains, but by adherence to core principles: privacy-by-design, security-by-design, inclusion, and accountability. While Gombe’s system has delivered revenue growth, weaknesses in data protection reveal a gap between digitisation and responsible DPI governance.
Ali Sabo, a digital rights officer at the Centre for Information Technology and Development (CITAD) said “this highlights systemic weaknesses in Nigeria’s digital public infrastructure, particularly the lack of privacy-by-design, poor access controls, and weak accountability mechanisms. Many government portals prioritize visibility and revenue collection over data protection and security architecture.
“Exposing Tax Identification Numbers (TINs) is extremely risky in Nigeria because the country already struggles with weak cybersecurity enforcement and frequent data breaches across both public and private systems,” he said. “When sensitive identifiers like TINs are publicly accessible, they can be harvested at scale by fraudsters and reused indefinitely.”
“In a high-risk digital environment, a TIN becomes a permanent vulnerability. Unlike passwords, it cannot be easily changed. Once leaked, the individual, whether a civil servant or a private citizen remains exposed to fraud, impersonation, and long-term financial harm.”
He stressed the need for data protection audits for all state-level digital systems, clear sanctions for public institutions that expose personal data, capacity building for state revenue services on data protection and cybersecurity, central oversight by the Nigeria Data Protection Commission and integration of data protection impact assessments before launching any government portal.
“Accessing individuals TINs can enable multiple forms of crime, including targeted phishing and social engineering, where criminals pose as tax officials, profiling and surveillance, particularly dangerous for judges, legislators, and political office holders, political or financial blackmail, especially against high-ranking public officials and ultimately, a TIN can become a master key for accessing or manipulating other systems,” he concluded.
Lessons for Gombe from Abuja
For citizens, DPI success hinges on trust. When taxpayers fear that their personal data is exposed, they are less likely to comply voluntarily, adopt digital platforms, or share accurate information. This trust deficit can undermine the very objectives of digital tax reforms, reducing compliance, slowing adoption, and weakening long-term revenue sustainability.
Usamatu Abubakar, a legal practitioner in Gombe said knowing that his TIN could be accessed through a simple name search made him feel exposed and insecure.
For him, the exposure has reduced his trust in government-run digital systems.
“There is no longer safety or protection,” he said. “The revenue service should immediately restrict access to TINs for official use only.
In several states, digital tax platforms are built with privacy and security embedded into their design. Users must log in before accessing any personal or financial information, ensuring that sensitive data is visible only to authorised individuals.
For example, the Abuja Internal Revenue Service requires each taxpayer to create a unique account with a username and password before they can view or pay their taxes. This authentication layer prevents unauthorised access and protects personal identifiers such as TIN and payment records.
A similar model is used in most tertiary institutions, where students must log in with institution-issued credentials before accessing their portals. Without authentication, no personal or financial information is displayed.
These systems demonstrate security-by-design and privacy-by-design in practice—core principles of digital public infrastructure.
For Gombe State, closing this gap is no longer optional. By redesigning its tax portal to comply with the Nigeria Data Protection Act 2023, the Internal Revenue Service can protect taxpayer data, rebuild public trust, and position itself to safely integrate into Nigeria’s national, interoperable DPI ecosystem.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
LIKE & FOLLOW US ON FACEBOOK, X, INSTAGRAM, LINKEDIN & YOUTUBE
