The Nigeria Data Protection Commission (NDPC) has launched a formal investigation into Remita Payment Services Ltd. and Sterling Bank following reports of a potential large-scale data breach that may have exposed sensitive personal and financial information of thousands of Nigerians.
The NDPC confirmed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, that a Notice of Investigation was served to both organisations on April 1, 2026.
According to the Commission, the investigation will assess the technical and organisational measures both entities had in place to safeguard user data.
“The aim of the investigation is to ensure that data subjects are protected with appropriate technical and organisational measures,” the statement said.
The NDPC’s inquiry follows a series of alarming cyber threat alerts circulating online, alleging that a threat actor identified as “ByteToBreach” breached systems linked to both Remita and Sterling Bank.
Cyber intelligence reports allege that Remita’s systems may have leaked about 3 terabytes of data from cloud storage, including over 800GB of Know Your Customer (KYC) documents such as identity cards, passports, bank statements, and utility bills.
The leak reportedly also involved databases, logs, source codes, password hashes, and backups of internal systems.
Similarly, Sterling Bank was reported to have potentially exposed data linked to approximately 900,000 customer accounts and over 3,000 employee records. The compromised information allegedly includes banking details, BVNs, passports, transaction histories, loan records, and credit scores.
Under the Nigeria Data Protection Act 2023, organisations are mandated to implement strong technical and organisational safeguards to protect personal data.
Failure to comply could result in penalties of up to N10 million or 2 per cent of annual gross revenue, whichever is higher, as well as mandatory corrective measures.
The NDPC has already launched a sector-wide compliance review covering 1,369 organisations across banking, insurance, pensions, gaming, and other sectors, including 795 financial institutions. Companies have been given 21 days to submit evidence of compliance or face sanctions.
In addition, all companies are required to submit annual data protection audit reports, appoint Data Protection Officers, outline security measures, and register as data controllers or processors.
The NDPC has previously demonstrated a willingness to enforce penalties, including fining Multichoice Nigeria N766.2 million for unlawful data processing and illegal cross-border transfers of Nigerians’ personal data.
“If confirmed, the Remita and Sterling Bank incidents could represent one of the largest financial data breaches in Nigeria’s history,” said Chukwuemeka Nwosu, cybersecurity analyst.
“The exposure of KYC documents and transaction histories could have severe implications for identity theft, fraud, and public trust in digital finance.”
Bimbo Adeoye, a fintech consultant, added: “Financial institutions must prioritise robust cybersecurity frameworks. NDPC’s active investigation sends a strong signal that non-compliance will be met with regulatory consequences, which is critical for the growth of fintech and digital banking in Nigeria.
