A new legal research paper has raised alarm over the increasing exposure of Nigeria’s oil and gas industry to data breaches and cybersecurity threats, warning that poor data governance could jeopardize the country’s most strategic economic sector.
The paper, authored by data protection lawyer and privacy expert Lynda Ugo Ezike (CIPP/C), argues that the digitization of Nigeria’s oil and gas operations has opened the sector to a wave of cyberattacks, surveillance risks, and legal liabilities tied to the misuse or unauthorized access to personal and sensitive data.
Published under the title “The Significance of Data Protection and Information Security in Nigeria’s Oil and Gas Industry: Legal Considerations,” the report explores how oil and gas companies in Nigeria, while adopting emerging technologies like cloud computing, artificial intelligence, and IoT, are falling short of the data protection responsibilities imposed by Nigerian law.
“Nigeria’s oil and gas companies are now classified as data controllers and processors of major importance under the Nigeria Data Protection Act (NDPA) 2023. This means they face stricter regulatory obligations, and failure to comply could attract fines of up to N10 million or 2% of their annual gross revenue,” Ezike wrote in the paper.
Critical infrastructure, digital vulnerability
With the sector contributing significantly to government revenue, exports, and GDP, the report warns that any data breach or cybersecurity incident can have devastating ripple effects across the economy.
Referencing a 2021 cyberattack on the Nigerian National Petroleum Corporation (NNPC), where hackers reportedly encrypted sensitive operational data and demanded a ransom, the paper illustrates how vulnerable Nigeria’s energy assets have become.
Other examples cited include the Colonial Pipeline ransomware attack in the United States, which disrupted fuel supplies and led to congressional inquiries, and incidents involving Saudi Aramco and Canadian energy firms that suffered multi-million-dollar losses due to data breaches.
Legal gaps and compliance failures
While Nigeria has made strides with the enactment of the NDPA and the creation of the Nigeria Data Protection Commission (NDPC), the paper notes that existing oil and gas regulations—particularly the Petroleum Industry Act (PIA) 2021—only cover customer data, leaving out other important categories such as employees, contractors, and host communities.
“The PIA references data protection in Section 164, but its scope is limited to customer information in midstream and downstream operations,” Ezike explains. “This leaves a gap for upstream activities and broader data subject categories.”
The report calls for sector-specific data protection regulations, arguing that a one-size-fits-all approach fails to account for the operational complexities and data sensitivity levels across upstream, midstream, and downstream segments.
Key risk areas in the industry
The report outlines eight areas in which oil and gas companies are most vulnerable to data breaches and legal liabilities. These include:
- Human resources (handling biometric and health records)
- Third-party contractors and cloud vendors
- Customer payment and financial data
- Health, Safety and Environment (HSE) systems
- Transborder data transfers
- Surveillance systems (CCTV and drone footage)
- Visitor management systems
- Company websites and cookie tracking tools
Each of these areas, according to the paper, involve the collection, storage, processing, or transfer of personal data—activities which are now legally regulated under the NDPA.
Recommendations for the industry
To avert major data protection failures, the report recommends a number of compliance and governance strategies, including:
- The development of industry-specific data protection guidelines in partnership with the NDPC
- Adoption of third-party data processing agreements with vendors and contractors
- Staff training on data privacy rights and breach protocols
- Implementation of annual data audits, privacy impact assessments, and use of privacy-enhancing technologies
- Certification through recognized schemes such as ISO 27701 or BBBOnline
The report also emphasizes the importance of having incident response plans and designating Data Protection Officers to oversee compliance within oil and gas firms.
Why it matters
The push for stronger data protection comes at a time when Nigeria is seeking to deepen investor confidence in its oil and gas sector amid global shifts in energy investment.
With digitization now central to exploration, refining, logistics, and payments, a major breach could affect everything from fuel supply chains to international financing deals.
“The everyday existence of Nigerians is powered by the oil and gas sector, and any malicious cyber intrusion can cause serious economic and social disruption,” Ezike warns.
The NDPC has also stepped up enforcement in 2025, signaling that non-compliance will no longer be treated lightly.
As Nigeria positions itself as Africa’s largest oil producer and a digital leader in energy innovation, experts say protecting data in the sector will be just as important as securing the pipelines.
