Nigeria’s data protection regulator, the Nigeria Data Protection Commission, has opened an investigation into Remita Payment Services Ltd. and Sterling Bank over a suspected large-scale data breach.
The Commission disclosed that a formal Notice of Investigation was served on both organisations on April 1, 2026, following reports that sensitive personal and financial data of Nigerians may have been exposed.
In a statement signed by Babatunde Bamigboye, the NDPC said the probe will determine:
- The types of personal data involved
- The scale and nature of the alleged breach
- Potential risks to affected individuals
- Measures taken to mitigate the incident
The Commission added that relevant parties are already providing information as part of the ongoing investigation.
The investigation follows a wave of cyber threat alerts circulating online, including claims by a threat actor known as “ByteToBreach.”
Reports suggest that data linked to Remita may have been leaked on a cybercrime forum, allegedly involving about 3 terabytes of data, including sensitive Know-Your-Customer (KYC) documents such as identity cards, passports, and bank statements.
Separate claims also allege a breach of Sterling Bank’s systems, with data tied to hundreds of thousands of customer accounts and thousands of employee records potentially exposed.
Unverified reports further indicate that data from other institutions, including Zenith Bank, Oyo State Government, Leadway Assurance, GetBumpa, and Ahmadu Bello University, may also have been affected.
If confirmed, the breach could undermine trust in Nigeria’s fast-growing digital banking and fintech ecosystem, where large volumes of personal data are processed daily.
Under the Nigeria Data Protection Act 2023, organisations are required to implement robust safeguards to protect user data. Failure to comply could attract penalties of up to N10 million or 2% of annual gross revenue, alongside mandatory corrective actions.
The NDPC noted that the investigation is part of broader enforcement efforts across the economy. Recently, the Commission launched a sector-wide probe into over 1,300 organisations suspected of data protection violations, including hundreds of financial institutions.
Companies are now required to submit annual data protection audits, appoint Data Protection Officers, and clearly outline their security frameworks.
The regulator has also shown its willingness to impose sanctions, including a high-profile fine against Multichoice Nigeria for data protection breaches.
