NDPC Opens Probe Into Alleged Remita, Sterling Bank Data Breach

Nigeria’s data protection regulator has launched a high-profile investigation into Remita Payment Services Ltd. and Sterling Bank following reports of a potential large-scale data breach involving sensitive personal and financial information.

The development was disclosed by the Nigeria Data Protection Commission in a statement signed by its Head of Legal, Enforcement and Regulations, Babatunde Bamigboye. A formal Notice of Investigation was served on both organisations on April 1, 2026.

NDPC Launches Full-Scale Investigation Into Alleged Cyber Incident

According to the Commission, the probe seeks to determine:

The type of personal data exposed
The scope and severity of the breach
The potential risks to affected individuals
The response and mitigation measures taken

The NDPC emphasized that the primary objective is to ensure that data subjects are protected through appropriate technical and organisational safeguards.

Relevant parties are already cooperating and providing information as part of the ongoing inquiry.

Cyber Threat Claims Trigger Probe

The investigation follows alarming cyber threat reports circulating online, particularly claims by a threat actor known as “ByteToBreach.”

Key allegations include:

A 3TB data leak allegedly linked to Remita, including:
Over 800GB of KYC documents (IDs, passports, utility bills)
Databases, logs, and internal system backups
A separate claim involving Sterling Bank, allegedly exposing:
Data from 900,000 customer accounts
Over 3,000 employee records, including sensitive financial and identity details

Cyber intelligence sources such as Dark Web Informer and Hackmanac flagged these incidents in late March, intensifying public concern.

Wider Exposure Fears Across Nigerian Institutions

Unverified reports suggest the breach may extend beyond the two organisations under investigation, potentially affecting:

Zenith Bank
Oyo State Government
Leadway Assurance
GetBumpa
Ahmadu Bello University

Alongside 30+ other companies and public institutions.

Authorities have not yet confirmed the full scope of these broader claims.

What This Means for Nigeria’s Digital Economy

At a time of rapid fintech growth and digital banking adoption, a confirmed breach of this magnitude could:

Erode public trust in financial platforms
Raise concerns over data security standards
Trigger stricter regulatory enforcement across sectors

Under the Nigeria Data Protection Act 2023, organisations are required to implement robust data protection measures or face significant penalties.

Possible Sanctions and Regulatory Consequences

If violations are confirmed, affected organisations could face:

Fines of up to ₦10 million or 2% of annual gross revenue (whichever is higher)
Mandatory corrective and compliance measures
Increased regulatory scrutiny

The NDPC has already demonstrated enforcement strength, notably fining Multichoice Nigeria ₦766.2 million for data protection violations.

NDPC Expands Crackdown on Data Privacy Violations

The current probe aligns with a broader enforcement push by the Commission, which recently launched investigations into 1,369 organisations suspected of breaching data protection laws.

795 financial institutions are affected
Companies were given 21 days to prove compliance

Regulatory requirements now include:

Annual data protection audit reports
Appointment of Data Protection Officers (DPOs)
Clear documentation of security frameworks
Proper registration as data controllers or processors
Outlook: Rising Pressure on Data Security Compliance

The outcome of this investigation could set a major precedent for Nigeria’s data protection landscape.

As digital services expand, regulators are signaling a clear message: data privacy compliance is no longer optional—it is enforceable.