The Nigeria Data Protection Commission (NDPC) has officially commenced a full-scale investigation into an alleged major data breach involving Remita Payment Services Limited, Sterling Bank, and several other associated entities. The move follows escalating concerns over the security of sensitive personal and financial information within Nigeria’s digital payment ecosystem.+1
In a statement released on Sunday, April 5, 2026, the Head of Legal, Enforcement and Regulations at the NDPC, Babatunde Bamigboye, Esq., confirmed that formal Notices of Investigation were served to the affected organizations on April 1. According to the commission, the subjects of the probe have already begun submitting information to clarify the circumstances surrounding the reported compromise.
The investigation was triggered by claims surfacing on cybercrime forums in late March 2026. A threat actor identified as “ByteToBreach” alleged unauthorized access to approximately 3TB of cloud storage—specifically Amazon S3 buckets—containing sensitive data. The leaked assets purportedly include over 800GB of Know Your Customer (KYC) documents such as international passports and national IDs, bank statements, and over 35,000 password hashes. The attacker further claimed that infrastructure linked to Sterling Bank was instrumental in facilitating the breach, though these allegations remain unverified by official sources.+3
The NDPC stated that the primary objective of the inquiry is to ensure that data subjects are shielded by adequate technical and organizational measures as mandated by the Nigeria Data Protection Act (NDP Act), 2023. The scope of the investigation covers the specific categories of data implicated, the extent of the exposure, the potential risks to Nigerian citizens, and the efficacy of any mitigation steps taken by the firms since the incident occurred.+1
Dr. Vincent Olatunji, the National Commissioner and CEO of the NDPC, has further directed a broader regulatory review of all organizations utilizing digital payment systems. He warned that any entity found operating without the rigorous safeguards required under the NDP Act would face stiff penalties. This follows a precedent set in 2024 when the commission imposed a record ₦555.8 million fine on another major financial institution for similar data protection violations.+2
In response to the reports, some cybersecurity experts have urged the public to remain calm, noting that while the claims are serious, Remita has communicated to its partners that its core payment processing infrastructure and financial APIs remain secure and fully operational. The company maintained that the incident was limited to unauthorized access to certain non-financial data repositories.
However, the NDPC’s intervention underscores the gravity of the situation. Data subjects are advised to remain vigilant against potential phishing campaigns or identity theft attempts that may leverage leaked personal information. The commission is expected to provide a comprehensive update on its findings once the preliminary forensic audit of the companies’ servers is concluded later this month.
Related Developments:
- Cybersecurity Alerts: Security firms have observed an uptick in spoofed login pages targeting Remita users following the data leak claims.
- Regulatory Enforcement: The NDPC is currently monitoring over 13 major sectors for compliance with the 2023 Data Protection Act to maintain the integrity of Nigeria’s growing fintech landscape.
As a contributor to digital news portals, I create content that highlights real-world experiences and evolving viewpoints. My writing combines clarity with relevance to engage readers effectively. I am committed to delivering content that is both informative and relatable.
