Weak baseline hygiene — but no confirmed breach
This is the Category 2 (Technical & Security) picture across 17 platforms. Findings are shown as patterns and counts — specific platforms are not named, to avoid publishing a roadmap for attackers.
*One platform is a data-exposure outlier under investigation and is treated separately as a priority follow-up.
Security-header grade distribution
n = 17The missing protections are like a building with several unlocked side doors and no security cameras. It doesn't mean anyone has walked in and taken something — but if someone tries, there is little standing in their way, and little chance of being detected.
No evidence was found that any platform has been hacked, or that citizen data has been stolen. The concern is ease of attack, not proven compromise — and a handful of findings are exactly the kind of thing real-world attackers look for first.
What needs attention, and how urgently
Abandoned government domain
One platform is completely down, yet its address still actively points at a hosting provider. This "dangling" domain is the kind of weakness used elsewhere to quietly take over an abandoned government address. The single most urgent item.
A data-exposure outlier
One platform failed nearly every information-exposure check — a systemic outlier relative to every other platform reviewed. It warrants a full, hands-on follow-up audit as a priority.
Discoverable admin logins
Five platforms expose their staff/admin login page at a common, guessable address — removing a first line of defence and giving an attacker an obvious starting point.
Missing browser protections, estate-wide
Fifteen platforms lack modern security headers — the "seatbelts" that limit damage if a user is tricked by a malicious link. Low urgency individually, but it applies almost everywhere and is cheap to fix.
Three checklist areas were not assessed at all: SSL/TLS configuration, authentication & session security, and privacy / NDPR compliance. These are gaps in the review — not confirmed passes — and must not be assumed fine simply because they weren't flagged.
What's already strong
What's weak
Recurring weaknesses across the four categories
Security is one lens. The wider review found consistent gaps in experience, accessibility, feedback, maintenance and trust.
User experience
Unclear homepage purpose, mobile content overlays, dummy/template content, broken links, missing search & breadcrumbs, unbranded 404 pages, and login walls hiding basic information.
Accessibility
Missing image alt text, uncertain keyboard access, no evidence of accessibility testing, and inaccessible login-gated services. This should be a major second-phase priority, not assumed to pass.
Feedback & support
Missing feedback forms, no submission confirmation, no stated response times, no escalation route, and inactive social links. A form that collects but never responds is not a complete feedback loop.
Maintenance & transparency
Little public evidence of recent updates, no named platform owner or technical vendor, and unclear patch-management. Platforms risk drifting offline-in-spirit while still technically online.
Inclusion & trust
No Igbo-language support for critical information, missing state identity/logo, no official endorsement statement, and basic information hidden behind registration.
The real test
Not whether a platform loads — but whether the citizen can actually achieve the intended outcome.
Straight answers to the obvious questions
Have any of these platforms actually been hacked?+
No evidence of any breach or stolen citizen data was found. The review was passive — reviewers looked at each site only from the outside and found no sign of an active or past intrusion. The concern is ease of attack, not proven compromise.
Was citizens' personal data exposed?+
No personal citizen data was found sitting openly exposed on the live platforms, with one outlier platform treated separately as a priority investigation. Most platforms also lack a proper privacy policy explaining how citizen data is used.
What is the single most urgent issue?+
The abandoned government domain that still points at a hosting provider with no live site behind it — a takeover risk — followed by a full, hands-on audit of the one data-exposure outlier.
If nothing was breached, why does this matter?+
The missing protections are like unlocked side doors and no security cameras: little stops an attacker who tries, and little chance of detection. Several findings — the abandoned domain and the discoverable admin logins — are exactly what real-world attackers look for first.
Can these problems be fixed cheaply?+
Largely, yes. Most fixes are one-off configuration on infrastructure the State already owns — and two platforms already achieve a top security grade on that same setup, proving it is achievable at no new licensing cost.
Did the reviewers try to break in?+
No. All checks were passive and non-intrusive — no penetration testing, exploitation, source-code or database access — consistent with the evaluation manual's methodology.
Key terms, in plain English
Security headers (CSP)
Instructions a site gives the browser to limit damage if a user is tricked. Missing on most platforms reviewed.
Clickjacking
Tricking a user into clicking hidden page elements. Prevented by frame-protection headers.
Dangling / abandoned domain
A web address still pointing at a host with no live site behind it — an attacker can quietly take it over.
Discoverable admin login
The staff/admin login page sitting at a common, guessable address — an obvious first target.
NDPR
Nigeria Data Protection Regulation — the data-protection standard government platforms are expected to meet.
Passive review
Assessing a site only from the outside, without attempting to break in — the method used here.
SLE — Single Loss Expectancy
The cost of one successful incident. See the full model on Impact & Value.
ALE — Annualised Loss Expectancy
The expected cost per year — one incident's cost times how often it's expected to occur.
MDA
Ministry, Department or Agency — the government bodies that own the platforms reviewed.
Two platforms already achieve Grade A on the same shared government infrastructure. The fix isn't new technology — it's applying a configuration that already works, everywhere.
What this means for citizens
Uncertainty about whether a platform is genuine, difficulty starting a service, no confirmation a complaint was received, barriers for mobile/rural/disabled users, and — ultimately — reduced trust in digital government.
What this means for government
A need for central platform governance, clear ownership, minimum security standards, maintenance budgets, and formal handover — so investment produces stable institutions, not systems that depend on particular officers or vendors.