Nigeria’s data protection regulator has launched an investigation into Remita Payment Services Ltd. and Sterling Bank following reports of a potential large-scale data breach that may have exposed sensitive personal and financial information of Nigerians.
The development was disclosed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC.
The Commission confirmed that a formal Notice of Investigation was served on April 1, 2026, to both parties.
What the NDPC is saying
The probe, initiated by the Nigeria Data Protection Commission (NDPC), comes after growing concerns over a suspected cyber incident involving both entities.
According to the Commission, the investigation is to determine the extent of the alleged breach and ensure that affected data subjects are adequately protected.
- “In line with the Commission’s procedure, Notice of Investigation was duly served on the 1st of April, 2026. Relevant parties and individuals have been providing information for the purpose of addressing the incident.
- The aim of the investigation is to ensure that data subjects are protected with appropriate technical and organisational measures. The investigation by NDPC covers, among others:
- The types of personal data involved
- The nature and scope of the alleged breach
- The risk to data subjects
- The mitigation measures carried out when a breach is confirmed,” they stated
Backstory
The NDPC’s investigation follows a series of cyber threat alerts circulating online, pointing to potential breaches involving both institutions.
The investigation follows a wave of alarming claims by a threat actor identified as “ByteToBreach,” who alleged responsibility for breaching systems linked to both Remita and Sterling Bank.
- A post by cyber intelligence account Dark Web Informer on March 31 alleged that a massive dataset linked to Remita had been leaked on a cybercrime forum.
- According to the post, the breach reportedly involved about 3 terabytes of data from cloud storage, including over 800GB of KYC documents such as identity cards, passports, bank statements, and utility bills. The leaked materials were also said to include databases, logs, source codes, password hashes, and backups linked to internal systems.
- In a separate alert, Hackmanac reported on March 27 that a threat actor identified as ByteToBreach claimed responsibility for breaching Sterling Bank’s systems.
- The claim alleged the exposure of data tied to approximately 900,000 customer accounts and over 3,000 employee records, including banking details, identity documents such as BVN and passports, transaction histories, loan records, and credit scores.
Reports circulating online suggest that the alleged breach may not be limited to just the currently investigated entities. Claims indicate that data linked to organisations such as Zenith Bank, Oyo State Government, Leadway Assurance, GetBumpa, and Ahmadu Bello University, alongside more than 30 other companies and government institutions, may have been exposed to the public.
What this means
At a time when digital banking and fintech adoption are accelerating across Nigeria, any confirmed breach of this scale could weaken public trust in the system and raise concerns about how securely personal data is being managed.
The implications go beyond reputational damage. Under the Nigeria Data Protection Act 2023, organisations are required to implement strong technical and organisational safeguards to protect user data or risk regulatory action.
If investigations show gaps in compliance, the affected organisations could face penalties of up to N10 million or 2% of their annual gross revenue, whichever is higher, alongside mandatory corrective measures.
What you should know
Nairametrics reported that the Commission launched a sector-wide investigation into 1,369 organisations suspected of violating provisions of the Nigeria Data Protection Act 2023.
- These include companies in banking, insurance, pensions, and gaming, with as many as 795 financial institutions affected. The organisations were given 21 days to provide evidence of compliance or face sanctions.
- As part of its enforcement process, the NDPC now requires companies to submit annual data protection audit reports, appoint Data Protection Officers, outline their security measures, and register appropriately as data controllers or processors.
The Commission has also demonstrated its willingness to impose penalties where necessary. In one of its most notable cases, it fined Multichoice Nigeria N766.2 million after finding violations related to unlawful data processing and illegal cross-border transfer of Nigerians’ personal data.
