Oyo TESCOM Allegedly Leaks Applicants’ Sensitive Data Online, Violates National Privacy Law, Puts Thousands of Personal Documents at Risk

By: Israel Adeleke

OPEN TELEVISION NAIJA (OTN) News reports as gathered that the Oyo State Teaching Service Commission (TESCOM) has left the personal documents of thousands of Nigerians exposed on the open internet due to lax cybersecurity practices.

OTN News further reports as gathered that the exposed records, ranging from national identity slips and bank details to medical reports, employment letters, and birth certificates, were discovered on an unsecured Google Cloud folder directly linked to the official TESCOM website, with zero login credentials required, the files remain accessible to anyone using basic “Google dorking” techniques.

According to investigations by Foundation for Investigative Journalism (FIJ), the breach was not the result of a cyberattack or hacking activity, Instead, it is due to a basic failure by the government to secure its digital infrastructure.

The cloud folder was neither encrypted nor protected from public indexing, making it visible on search engines.

FIJ found the data window while auditing the website of Nigerian subnational agencies for safety, data privacy and security. A simple online search by simply applying the methods of ‘Google dorking’, which allows users to find insecure web pages and directories.

Some of the victims include Akolawole Mathew, whose national ID was left exposed; Oladosu Olalekan Moses and Agbato Samuel, whose credentials were publicly available; Adesina Olajide, whose NYSC certificate was exposed; and Olawale Tunbosun, whose primary school certificate was found in the open file bucket. 

OTN News observes that this incident is in direct violation of the Nigeria Data Protection Act (NDPA) and guidelines issued by the National Information Technology Development Agency (NITDA), which mandate stringent safeguards for all entities collecting and storing personal data. 

Experts warn that the exposed data can easily be exploited for: Identity theft, Loan fraud and impersonation, Targeted scams and digital blackmail, among other unlawful acts.

The finding is part of a broader audit of Nigerian subnational government websites conducted by the Foundation for Investigative Journalism (FIJ). The investigation uncovered a pattern of poor digital hygiene, weak enforcement of protection laws, and recurring exposures of sensitive citizen information.

OTN News recalls that a similar case of one Lagos-based individual, Jonah Chukwudi, who fell victim to an impersonation scam after fraudsters used his leaked details for financial extortion.

The incident unfolded in 2023, when the identity of Jonah Chukwudi, was used to fraudulently extort money from his family and friends.

According to The Punch’s report of the incident, someone had created fake social media profiles in his name, using his phone number, email address and other personal details harvested from unsecured websites.

The impostor had reached out to his contacts to promise business deals and loans worth thousands of naira before the fraud stopped.

Similarly in March, a Lagos High Court found Innocent Joseph Odumusor and Ajose Samuel Chukwudi guilty of impersonation and possessing fraudulent documents. 

OTN News further recalls that the duo had printed and used a bundle of fake letters sourced from someone else’s email account to convince victims they represented legitimate businesses.

Both men admitted in court that they knew the papers were false, and Justice Abike Fadipe sentenced each to one year’s imprisonment with the option of a N200,000 fine.

Also, on August 15, 2023, the Federal High Court in Ikoyi sentenced 30‑year‑old Hakeem Ayotunde Olanrewaju to two years’ imprisonment (or a N200,000 fine) after he admitted stealing the identity of a businessman and withdrawing $22,000 and N500,000 using forged manager’s cheques.

Olanrewaju had used the victim’s name, signature and account details — harvested from an unsecured digital form — to impersonate him in bank transactions. 

OTN News also observes that some of the victims of this insecure data storage in the case of the Oyo TESCOM stand the risk of falling victim to any of these criminals.

Here is what the act states verbatim: “(3) Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject the data controller shall immediately communicate the personal data breach to the data subject in plain and clear language, including advice about measures, the data subject could take to mitigate effectively the possible adverse effects of the data breach and if a direct communication to the data subject would involve Personal data breaches disproportionate effort or expense, or is otherwise not feasible, the data controller may instead make a public communication in one or more widely used media sources such that the data subject is likely to be informed.”

Subsequently, OTN News further observes that as of this publication, TESCOM has not issued any official statement or taken publicly visible steps to close access to the exposed files. 

OTN News, however, opined that until the TESCOM portal is properly secured and legal remedies are enacted for affected individuals, digital privacy in Nigeria remains at serious risk.