In 2025, a threat actor known as Ghudra advertised access to the Gombe Internal Revenue Service on a dark web forum for $500, this raised serious concerns about data management and cybersecurity practices in public insititutions. Experts warn that unauthorised access to revenue service could reveal financial records, digital wallets and taxpayer payment records and linked digital identities, potentially violating the Nigeria Data Protection Act (NDPA) 2023.
As Nigeria moves towards integrating state-level systems with national digital infrastructure, the exposure of sensitive taxpayer data on a state-run platform raises questions about state governments readiness to protect citizen information in an interoperable environment.
Data breach trends in Nigeria
According to a study by Surfshark, a cybersecurity company, 10 per cent Nigerians – roughly one in every ten people – have been affected by a data breach. The report indicates that Nigeria recorded more than 566,300 breached accounts in 2025, ranking Nigeria among the most affected countries in sub-Saharan Africa.
Nigeria’s drive toward digital public infrastructure has pushed sub-national governments to digitise tax administration as a way to expand revenue and improve efficiency. In light of this, Gombe Internal Revenue Service introduced a digital tax system that enables online taxpayer registration, issuance of Tax Identification Numbers (TINs), and electronic tax payments reforms intended to curb corruption, widen the tax net, and improve internally generated revenue.
However, a review of the platform revealed that some taxpayer identifiers could be accessed publicly through basic name searches. TINs are classified as personal data under NDPA 2023 and are considered high-risk when exposed without safegaurds. While digital taxation is critical for expanding the tax base, reducing leakages, and improving public service delivery, experts warn that weak privacy safeguards could expose citizens to identity theft, financial fraud, and surveillance risks.
A basic name search on the platform reveals the full TINs of registered individuals, raising serious concerns about privacy, consent, and systemic safeguards within a state-run digital public system.
When this reporter visited the Gombe Internal Revenue Service website on Tuesday, January 6, 2026, and searched for “Hon. Justice Halima Saaddiya Mohammed,” the Chief Judge of Gombe State, the portal displayed her full TIN.
A further search for “Hon. Abubakar Muhammad Luggerewo,” the Speaker of the Gombe State House of Assembly, also returned his full TIN, which this newspaper accessed without restriction.
When the name of Sen. Saidu Ahmed Alkali, Nigeria’s Minister of Transportation from Gombe State, was queried, only part of his TIN appeared on the portal.
Alkali was among a small number of individuals whose identifiers were partially masked. Many others were not afforded the same protection.
Digital security experts say inconsistent masking suggests the absence of a clear data-protection policy or uniform technical safeguard.
Daily Episode also obtained the TINs of multiple businesses and institutions, including White Light Bakery, Mimza Bakery, North Eastern University, Makay Supermarket and Shalele CE Supermarket and Chop House.
Others included UBA, Access Bank, AYM Shafa, Dan Marna, Matrix Energy Limited and an NNPC filling station.
Even government agencies were not spared. TINs associated with agencies such as the Economic and Financial Crimes Commission (EFCC), Ministry of Finance, Ministry of Youth Development and Ministry of Information were visible on the portal.
For non-government individuals, the portal revealed TINs linked to taxpayers including Hafiza Migini, Barrister Caleb Ubale, Zainab Bulkachuwa (possibly former president Court of Appeal) and Barrister Usamatu Abubakar, among others.
Search results continued to expose the details of both young and elderly taxpayers, with a few exceptions such as Gombe State Governor Muhammadu Inuwa Yahaya, and his deputy, whose identifiers could not be found on the portal.
Why DPI privacy protection matter
Digital Public Infrastructure (DPI) is designed as an interconnected ecosystem where government platforms including tax, identity, social services, and payments increasingly share and exchange data across federal and subnational levels.
Nigeria’s DPI roadmap prioritises interoperability, where state-level systems are expected to integrate with national databases as data flows across government layers, meaning weaknesses in one state system can affect others once data flows across platforms.
While digital tax systems are promoted as tools to widen the tax net and increase revenue, privacy breaches can produce the opposite effect discouraging participation and slowing adoption of the very infrastructure designed to improve efficiency and compliance.
Despite the Gombe Internal Revenue Service being ranked fourth in digital tax administration in Nigeria in 2025, the exposure of taxpayer identifiers highlights a gap between digitisation and data protection.
“I was not aware my TIN was public”
Usamatu Abubakar, a legal practitioner and head of chambers at Babawuro and Co. in Gombe, is one of the taxpayers whose TIN appeared publicly on the portal. He said he was unaware that his personal information was exposed.
“I never expected or became aware that my TIN would be made so easily available on the portal,” he said. “I was not asked to give consent for my TIN to be displayed on a public platform.”
He added that he was not informed about how his personal data would be stored, processed or protected beyond official tax purposes.
Abubakar said knowing that his TIN could be accessed through a simple name search made him feel exposed and insecure.
For him, the exposure has reduced his trust in government-run digital systems.
“There is no longer safety or protection,” he said. “The revenue service should immediately restrict access to TINs for official use only.”
Auwal Musa Abubakar, a head teacher at Gabukka Model School in Gombe, said he was also unaware that the school’s TIN was publicly available.
“We did not give permission, and it was not with our consent that our Tax Identification Number was displayed on a public platform,” he said.
He told Daily Episode that the school received no information on how its data would be processed, stored or protected.
“To be honest, this situation is very discouraging because unauthorised persons may gain access to sensitive information such as account details and school records,” he said. “This could lead to serious problems, including misuse by fraudsters.”
Musa said the exposure had discouraged him from trusting government-run digital platforms.
“A TIN should not be displayed publicly unless the individual concerned is authorised or officially involved in tax administration,” he said.
He urged the government to improve safeguards around school and institutional data, noting that TINs contain sensitive and vital information.
What the law says
A Tax Identification Number is classified as personal data under Nigeria’s Data Protection Act (NDPA) 2023.
Section 24(1)(f) of the law states that personal data must be “processed in a manner that ensures appropriate security … including protection against unauthorised or unlawful processing, access, loss, destruction, damage, or any form of data breach.”
Section 39(1) further requires data controllers and processors to ensure the security, integrity and confidentiality of personal data, taking into account its sensitivity and the potential harm that could result from misuse or disclosure.
“A data controller and data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful, destruction, misuse, alteration, unauthorised disclosure or access, taking into account –
- a) the amount and sensitivity of personal data
- b) the nature, degree and likelihood of harm to a data subject that could result from the loss, disclosure, or other misuse of personal data.”
By allowing unrestricted public access to full TINs through basic name searches, Gombe State’s tax portal appears to contravene these provisions, exposing citizens to identity theft, financial fraud and unlawful profiling.
Violations of the Act can attract penalties of up to ₦10 million or two percent of an organisation’s annual gross revenue.
Barr. Najib Adamu, an associate at Ibrahim K. Bawa SAN & Co., said such violations are actionable and can be challenged before a court of competent jurisdiction.
“The Tax Identification number of a person falls under the definition of personal data as defined by Section 65 of Nigeria’s Data Protection Act, 2023.” he said. “This means that any breach of such data arising from accidental or unlawful destruction, loss, misuse, alteration, unauthorised disclosure (as is the case in the GIRS portal) amounts to a breach of data privacy.”
The legal practitioner further noted that breaches of this nature go beyond statutory violations and amount to infringements of constitutionally protected rights.
“It is noteworthy that any breach of such nature amounts to the violation of fundamental human rights as the Rights to PRIVACY is protected under Section 37 of the Constitution of the Federal Republic of Nigeria 1999 (as amended), Article 12 of the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights.”
The court of appeal decision in “Incorporated Trustees of Digital Rights Lawyers Initiative & Ors V. NIMC (2021),” according to him, highlights “how courts resist any attempt by anybody (whether private or official) to unlawfully disclose personal data of people.”
Risks beyond Gombe
Experts warn that when subnational systems are insecure or poorly governed, they do not fail in isolation. Once interoperability is enabled, vulnerabilities can cascade into national systems expanding attack surfaces and weakening trust across government platforms.
Several taxpayers interviewed said the exposure of their TINs has weakened their confidence in government-run digital systems, an outcome experts say could undermine efforts to mainstream DPI across Nigeria.
DPI specialists, including threat intelligence analyst at CyHawk Africa, Hassanat Oladeji, say successful digital public infrastructure depends on three principles: privacy-by-design, security-by-design and accountability-by-design.
Public trust is a core dependency of DPI success. When citizens fear that their personal data is unsafe, they are less likely to adopt digital platforms, comply voluntarily, or share accurate information.
Responding to why TIN exposure is particularly dangerous in Nigeria, she said the identifiers are permanent and easily linked to other breached datasets.
“In Nigeria, leaked data is most times aggregated and reused. Exposing TINs is very risky because they are permanent identifiers of Nigerians that can be easily linked with other breached datasets. TINs have personally-identifiable data that can be used to impersonate the victim and can aid identity theft to commit crimes.”
She added that TIN exposure can facilitate tax fraud, targeted social engineering and broader fraud chains when combined with BVNs, phone numbers or SIM registration data.
According to her, the situation reflects wider weaknesses in Nigeria’s digital public infrastructure, including poor access controls, weak security standards and limited oversight at subnational levels.
Urging the government to adopt best practices to protect citizens’ data, the threat intelligence expert said “TINs should never be publicly exposed. Portals must enforce strong authentication, mask sensitive information, apply encryption of passwords, log access, and undergo regular independent security testing. Also, regular cyber safety training should be mandatory for all employees of revenue boards.
She added that Nigeria could learn from countries with mature digital systems that rely on masking, tokenisation, strict access controls and enforceable accountability mechanisms.
“Nigeria needs enforceable minimum security standards, mandatory security audits before deployment, centralized oversight of identity data, and real accountability for negligent data exposure.”
GIRS, NDPC keep mum
The Gombe State Internal Revenue Service did not respond to WhatsApp messages sent to it regarding this findings.
This outlet followed up with Faruk Muazu, the agency’s head of corporate communications, who said he would check the messages and respond, but no reply had been received at the time of publication.
Daily Episode also contacted the Nigeria Data Protection Commission by email. Although the commission acknowledged receipt, it had not provided a response as of press time.
“We acknowledge the receipt of your mail. It has been forwarded to the relevant department and we would respond soon,” the email stated.
When Itunu Dosekun, an assistant manager and head of media unit at NDPC, was further contacted, he requested that questions be sent to him via WhatsApp but had not responded as at press time.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
