Kebbi State Internal Revenue Service (KIRS) has exposed sensitive taxpayers’ data on its tax portal, raising concerns about privacy and data protection failures at a time when Nigeria is accelerating its transition to a digital economy and strengthening its digital public infrastructure, reports Muhammad Auwal Ibrahim.
Findings by Daily Episode show that personal information belonging to taxpayers including phone numbers can be freely accessed through the Kebbi State Internal Revenue Service portal, a platform designed for digital tax administration.
A visit to the website revealed that any user can type a name into the search field and retrieve sensitive taxpayer details without authentication or consent. Although the portal provides a login option for tax payments, clicking the “pay tax” function allows users to bypass the login process entirely, enabling unrestricted searches of personal data.
Unlike breaches caused by external hackers or cybercriminals, this exposure stems from the platform’s architecture and design, pointing to a failure to implement privacy-by-design and security-by-design principles which are core safeguards in DPI frameworks.
As digital tax systems increasingly form part of Nigeria’s Digital Public Infrastructure, interconnected with identity, payment, and data systems, such design failures represent a significant governance risk.
Taxpayers react to privacy breach and data exposure
Several taxpayers whose phone numbers were accessed through the portal expressed shock and concern.
Ismail Karatu Abdullahi, founder of Hausa Daily Times, said the phone number linked to his media organisation on the portal was his personal line not the company’s official contact.
“If that is the number you saw, I don’t know how it got there. It is my personal line, not an official one,” he said.
Abdullahi explained that taxpayers routinely submit their personal details to revenue authorities during registration, trusting that such information will be protected.
“This is another example of poor policy implementation and weak data governance. People must speak up when these breaches happen,” he added.
Similarly, Sadiq Saleh, a Kebbi-based legal practitioner, said he was unaware that his phone number was publicly accessible.
“We trusted them with our data, believing it would be protected under the law. Learning that it is exposed in the public domain is unfortunate,” he said. “A phone number is a private data. Anyone who gains access can misuse it depending on their technological capacity. This was done without our consent.”
Saleh urged the revenue service to comply strictly with data protection laws, stressing that safeguarding citizens’ data is a legal obligation, not a choice.
Violating Nigeria’s privacy law
Under Section 65 of Nigeria’s Data Protection Act (NDPA) 2023, a phone number qualifies as personal data.
“Biometric data means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of an individual, which allow to confirm the unique identification of that individual, including without limitation by physical measures, facial images, blood typing, fingerprinting, retinal scanning, voice recognition, and deoxyribonucleic acid (DNA) analysis.”
Section 24(1)(f) of the Act mandates that personal data be processed “in a manner that ensures appropriate security,” including protection against unauthorised access, loss, or any form of data breach.
Section 39(1) further mandates data controllers and processors to implement technical and organisational measures to safeguard the integrity, confidentiality, and security of personal data, taking into account its sensitivity and the potential harm that could result from misuse.
“A data controller and data processor shall implement appropriate technical and organisational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful, destruction, misuse, alteration, unauthorised disclosure or access, …”
Violations of the Act can attract penalties of up to ₦10 million or two per cent of an organisation’s annual gross revenue.
Beyond legal non-compliance, the exposure violates foundational DPI safeguards including: data minimisation, purpose limitation, access control, risk-based system, design accountability and auditability.
Public exposure of phone numbers increases risks of impersonation, SIM-swap fraud, phishing, targeted scams, harassments and identity theft.
A recurring pattern of weak data protection
The Kebbi case is not isolated. It reflects a broader pattern of data protection failures in state-leval digital public systems.
In 2026, Daily Episode reported a similar breach in Gombe State, where the Gombe Internal Revenue Service exposed taxpayers’ Tax Identification Numbers (TINs) through a public portal without restriction.
The report revealed that the TINs of individuals, businesses, and public institutions including senior government officials and agencies were accessible to anyone without restriction, years after the establishment of the Nigeria Data Protection Commission (NDPC).
Such recurring failures highlight weak institutional capacity to manage Digital Public Infrastructure as critical national systems, rather than routine administrative tools.
“A gateway to deeper harm”
Ali Sabo, a digital rights advocate at the Centre for Information Technology and Development (CITAD), warned that exposing phone numbers creates a gateway to more severe digital harm.
“Phone numbers are core digital identifiers. In a high–data-breach environment like Nigeria, exposing them enables easy linkage with other leaked datasets, making individuals more vulnerable to fraud, impersonation, and targeted attacks,” he said.
According to Sabo, public exposure of contact details fuels phishing scams, fake tax alerts, SIM-swap fraud, harassment, stalking, and extortion.
He added that the incidents, “reflects a deeper governance failure where digital systems are deployed without adequate risk assessments, data protection impact assessments (DPIAs), or routine security audits. It is not just a technical failure, it is an institutional one,” he added.
He urged revenue authorities to mask sensitive identifiers, enforce role-based access controls, encrypt data, conduct regular security audits, and fully comply with Nigeria’s data protection framework.
Sabo warned that such failures erode public trust in government digital systems.
“In many countries, taxpayer data is treated as confidential. Access is strictly limited to taxpayers and authorised officials, secured through authentication and strong legal penalties for misuse,” he said.
“Countries with mature digital tax systems treat taxpayer data as critical national infrastructure, not administrative information,” he said and continued. “Without reforms, similar data exposures will continue to undermine public trust and put millions of Nigerians at risk.”
Lessons for Kebbi Revenue Service
Across Nigeria, several state revenue services have implemented safer digital designs.
Portals operated by the Katsina, Plateau, Kwara, Kogi, and Borno Internal Revenue Services require users to log in before accessing any personal or financial information.
Other states including Benue, Niger, and Nasarawa allow payments through Remita without exposing personal identifiers on public portals.
Sabo say Kebbi can adopt similar models or redesign its system to comply with privacy-by-design and security-by-design principles, which are central to DPI implementation.
The need for data protection
Digital Public Infrastructure (DPI) refers to shared, government-backed digital systems such as payments, identity, and data platforms that are reused across institutions and sectors.
Nigeria’s DPI roadmap emphasises interoperability, meaning state-level systems will increasingly connect with national platforms. In such an ecosystem, weaknesses in one system can affect others across the entire network.
While digital tax systems are promoted to expand tax net and improve efficiency, privacy failures can produce the opposite effect, eroding public trust, discouraging participation, and undermining compliance.
KIRS, NDPC didn’t respond
Daily Episode contacted Kebbi State Internal Revenue Service through the email address listed on its website but received no response as of press time. Repeated phone calls to the service line made available on its website also went unanswered.
The Nigeria Data Protection Commission (NDPC) similarly failed to respond to Daily Episode questions sent by email.
This silence reflects a broader accountability gap in how public institutions govern and protect citizens’ data, threatening the credibility of Nigeria’s digital public infrastructure agenda.
This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.
