The Nigeria Data Protection Commission (NDPC) has raised concerns over coordinated cyber threats targeting Nigeria’s financial systems and key digital infrastructure, warning organisations to urgently strengthen their data security architecture.
The Commission issued the warning in a Data Protection Advisory issued to data controllers and data processors on Thursday.
NDPC said its technical assessment revealed that “shadowy threat actors” have launched coordinated operations aimed at critical systems in the country.
The warning signals growing regulatory concern over the vulnerability of institutions that power payments, banking services, telecommunications, cloud platforms and public sector digital services.
What the NDPC is saying
In the Advisory signed by NDPC’s Head, Legal, Enforcement and Regulations, Babatunde Bamigboye, Esq., the Commission said organisations handling personal data must urgently improve both technical and organisational safeguards to protect Nigerians and other data subjects from privacy breaches and cyber risks.
- “The Commission strongly advises that data controllers and processors (including MDAs) are to urgently step up their technical and organisational measures to ensure the privacy of all Nigerians and other data subjects in line with the Nigeria Protection Act, 2023 (NDP Act),” the Advisory read in part.
The NDPC listed several immediate actions organisations should implement to reduce exposure to cyber threats.
These include appointing trained and certified Data Protection Officers, implementing privacy policies and information security standards, and conducting Data Privacy Impact Assessments.
- Other measures highlighted by the Commission include the deployment of robust identity and access controls such as Multi Factor Authentication, adoption of zero trust security architecture, network segmentation, and immediate remediation of system vulnerabilities through continuous patch management.
- The Commission also called for stronger protection of cloud infrastructure, application programming interfaces, databases and access credentials.
- It further advised organisations to deploy real-time monitoring, logging and threat detection systems, implement encryption and secure credential handling, conduct Vulnerability Assessment and Penetration Testing on critical systems, and maintain regular backup, recovery and resilience testing.
Get up to speed
This warning comes weeks after the NDPC announced it had launched an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities.
According to the Commission, the investigation aimed to ensure that data subjects are protected with appropriate technical and organisational measures.
It added that the investigation would cover, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects and the mitigation measures carried out where a breach is confirmed.
What you should know
Under the Nigeria Data Protection Act 2023 (NDPA), data controllers must report personal data breaches to the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware of the breach if it poses a risk to the rights and freedoms of individuals.
- High-risk breaches also require immediate notification to affected data subjects.
- Unlike the previous regulations, the NDPA requires reporting only if the breach is likely to result in a risk to the rights and freedoms of data subjects.
If a breach is likely to result in a high risk to data subjects, the controller must inform the individuals immediately, including steps they can take to mitigate the risk.
