The Nigeria Data Protection Commission (NDPC) has officially launched a high-stakes investigation into a massive alleged data breach involving the financial technology giant Remita Payment Services Ltd. and Sterling Bank.
The probe, triggered on April 1, 2026, aims to uncover the scale of a potential compromise that may have exposed the sensitive personal and financial records of millions of Nigerian citizens.
The Investigation Underway
The NDPC confirmed on Sunday that formal “Notices of Investigation” have been served to both institutions. According to Babatunde Bamigboye, Esq., the Commission’s Head of Legal, Enforcement, and Regulations, several key individuals are already being interrogated to determine the “nature and scope” of the incident.
The commission’s primary focus includes:
Identifying the specific data types involved in the alleged leak.
Assessing the risk posed to the affected “data subjects” (the public).
Evaluating mitigation measures taken by the companies since the breach was reported.
Dark Web Claims: BVNs and Passports at Risk
The investigation follows alarming claims from a dark web hacker operating under the alias ByteToBreach.
In March, the hacker claimed to have infiltrated Sterling Bank, allegedly gaining access to:
One million customer accounts and 3,000 employee records.
Highly sensitive data: Bank Verification Numbers (BVNs), NUBANs, passport details, and driver’s license information.
Internal records: Loan histories, credit scores, and private data of the bank’s CEO and Board Chairman.
Just last week, the same actor claimed responsibility for breaching Remita, the central gateway for many of Nigeria’s government and private sector financial transactions.
Regulatory Warning: No Entity is Exempt
Dr. Vincent Olatunji, the National Commissioner and CEO of the NDPC, has directed that the probe be widened to include other organizations utilizing digital payment systems. He warned that the integrity of Nigeria’s financial ecosystem is at stake.
“The aim is to ensure that data subjects are protected with appropriate technical and organizational measures,” the Commission stated.
Under the Nigeria Data Protection Act (NDP Act) 2023, any organization found operating without sufficient technical safeguards faces severe legal penalties. The NDPC is currently analyzing whether Remita and Sterling Bank failed to implement these mandatory protections on their infrastructure.
What This Means for the Public
As Remita and Sterling Bank are pillars of the digital economy, this investigation marks one of the most significant tests of Nigeria’s data privacy laws to date. While the probe continues, the NDPC is working to ensure that any confirmed breaches are met with immediate corrective action to prevent further exploitation of citizens’ identities.
Discover more from Ayobami Blog
Subscribe to get the latest posts sent to your email.
