NDPC Launches Formal Investigation Into Alleged Data Breach Involving Nigerian Financial Institutions
The Nigeria Data Protection Commission (NDPC) has officially launched a comprehensive investigation into an alleged data breach involving multiple financial institutions, including Remita Payment Services Ltd. and Sterling Bank. The regulatory body confirmed this development through a formal statement issued on Monday, April 6, 2026, marking a significant response to growing cybersecurity concerns within Nigeria's financial sector.
Formal Notice Served and Investigation Scope Defined
According to Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, a formal notice of investigation was served on April 1, 2026, in strict accordance with established regulatory procedures. Bamigboye emphasized that all relevant parties and individuals have been cooperating fully with the commission, providing essential information to support the ongoing probe and address the alleged security incident effectively.
The primary objective of this investigation is to ensure that data subjects receive appropriate protection through technical and organizational measures. The scope of the inquiry is extensive, covering multiple critical aspects including the specific types of personal data involved, the precise nature and extent of the alleged breach, potential risks to affected individuals, and mitigation steps implemented where a breach has been confirmed.
Cybercrime Reports Trigger Regulatory Action
The investigation follows alarming reports from the cybercrime tracking platform Dark Web Informer, which claimed in a March 31 post on social media platform X that a significant breach linked to Remita had surfaced on a prominent cybercrime forum. According to these reports, the compromised data included approximately 3 terabytes of storage, over 800GB of Know Your Customer (KYC) documents such as identification cards, passports, bank statements, and utility bills.
Additionally, the alleged breach reportedly involved databases, system logs, source codes, and more than 35,000 password hashes, representing a substantial security threat to affected customers and institutions. Separately, during the same period, there were reports of a potential data breach involving Sterling Bank, as documented by Vanguard newspaper, further highlighting the widespread nature of cybersecurity challenges facing Nigerian financial institutions.
Regulatory Warning and Legal Framework
National Commissioner Vincent Olatunji issued a stern warning to organizations deploying digital payment systems without adequate safeguards, emphasizing that such entities would face rigorous regulatory scrutiny and potential sanctions. Olatunji stressed that these measures are mandated under the Nigeria Data Protection Act 2023, which establishes clear requirements for ensuring the integrity and security of Nigeria's evolving digital ecosystem.
The commissioner's statement underscores the growing importance of robust data protection frameworks as Nigeria continues to expand its digital financial services. Organizations failing to implement appropriate security measures risk not only regulatory penalties but also significant reputational damage and loss of customer trust in an increasingly competitive market environment.
Broader Context of Cybersecurity Challenges
This investigation occurs against a backdrop of heightened cybersecurity concerns within Nigeria's financial sector. Previously, the Federal High Court in Abuja ordered an additional 30-day freezing of 818 bank accounts suspected of containing proceeds from an N10 billion cyberattack on Hope Payment Service Bank. The court order, authorized by the Inspector General of Police and presided over by Justice James Omotosho on October 15, 2024, demonstrates the ongoing legal and regulatory efforts to combat cybercrime.
The motion filed by the police legal team indicated that the accounts under investigation were allegedly used to receive proceeds from criminal activities, highlighting the interconnected nature of cybersecurity threats and financial crime. These developments collectively emphasize the urgent need for enhanced security protocols, continuous monitoring, and proactive regulatory oversight within Nigeria's rapidly digitizing financial landscape.
