The Nigeria Data Protection Commission (NDPC) has opened a formal investigation into an alleged massive data breach involving two heavyweights of the country’s payment ecosystem: Remita Payment Services Ltd. and Sterling Bank Plc.
The probe was officially triggered on April 1, 2026, just days after a hacker operating under the handle “Bytetobreach” publicly claimed responsibility for infiltrating both platforms.
The Commission is now working to establish whether the personal and financial data of millions of ordinary Nigerians — from everyday bank customers to high-net-worth individuals — may have been exposed through the very digital pipelines that power government salaries, tax payments, school fees, and private-sector transactions nationwide.
In a statement issued on Sunday, Babatunde Bamigboye, Esq., Head of Legal, Enforcement and Regulations at the NDPC, confirmed that a formal “Notice of Investigation” had already been served on the affected entities. “Relevant parties and individuals have been providing information for the purpose of addressing the incident,” Bamigboye said.
The Commission’s immediate focus, he added, is to determine “the nature and scope” of the alleged breach and to ensure that data subjects — Nigeria’s citizens — are shielded by the robust technical and organisational safeguards mandated by law.
The statement further detailed the breadth of the inquiry. Investigators are examining the types of personal data involved, the scale of any compromise, the potential risks to individuals, and whatever mitigation steps the companies may have taken once the breach was identified or suspected.
National Commissioner and CEO of the NDPC, Dr. Vincent Olatunji, has taken the matter even further. He has directed that the investigation be expanded to cover other organisations operating digital payment systems across the country. “Any entity found operating without the required measures will face the full weight of the law,” Olatunji warned, describing the action as part of a “wider effort to ensure the integrity of the ecosystem.”
The development comes against the backdrop of increasingly brazen claims by the hacker Bytetobreach. Just last week the individual asserted responsibility for breaching Remita, a platform that processes billions of naira in government and private-sector payments every month.
In March, the same hacker claimed to have compromised Sterling Bank, a leading commercial lender, stating that approximately one million customer accounts and more than 3,000 employee records had been accessed.
According to the hacker’s claims, the stolen data included highly sensitive information such as Bank Verification Numbers (BVNs), Nigerian Uniform Bank Account Numbers (NUBANs), passport and driver’s licence details, transaction histories, loan records, credit scores, and even personnel files stretching up to the bank’s CEO and Board Chairman. The hacker further alleged that the data resided directly on Sterling Bank’s ASN infrastructure.
Remita and Sterling Bank sit at the very heart of Nigeria’s digital economy. Remita serves as the backbone for many federal and state government payments, while Sterling Bank has aggressively expanded its retail and corporate digital banking offerings.
A breach of this magnitude would not only expose ordinary citizens to identity theft, financial fraud and blackmail but could also erode public confidence in the very platforms successive administrations have promoted as the future of cashless Nigeria.
Under the Nigeria Data Protection Act 2023, all data controllers and processors — including banks and fintech firms — are legally required to implement stringent technical safeguards to protect personal data. Failure to do so can attract heavy penalties, including fines and potential criminal liability for executives.
The NDPC’s investigation is therefore not merely fact-finding; it is a test of how seriously Nigeria’s regulators intend to enforce the relatively new law in an environment where digital transactions have become the lifeblood of the economy.
As the probe gathers momentum, Nigerians are left wondering how safe their most private financial details really are. The Commission has promised transparency as the inquiry progresses, but for now the full extent of any compromise — and the potential fallout for millions of data subjects — remains under wraps.
The NDPC has urged any individuals who suspect their data may have been affected to remain vigilant, monitor their accounts closely, and report suspicious activity immediately to their banks and to the Commission itself.
This is a developing story. Further updates will follow as the NDPC releases additional findings.
WHAT YOU SHOULD KNOW
The NDPC has launched a sweeping investigation into a major alleged data breach at Remita Payment Services and Sterling Bank, following claims by hacker Bytetobreach of compromising millions of Nigerians’ sensitive financial records — including BVNs, account details, transaction histories, and even senior bank executives’ data.
Your personal and financial data in Nigeria’s digital payment systems may no longer be secure.
The NDPC is now probing not just these two firms but the entire digital payment ecosystem to enforce strict data protection laws and prevent further exposure.
Stay vigilant, monitor your accounts, and demand stronger safeguards from your banks and fintech platforms.
