Nigeria’s Corporate Affairs Commission (CAC) reported a cyber attack on April 15, 2026, detailing unauthorized access to its information system. While some “containment measures” have been put in place, the commission noted that it was working with the National Information Technology Development Agency (NITDA) and other necessary bodies to determine the impact of the attack. The cyberbreach on CAC is the third known institutional attack in Nigeria, following earlier alleged breaches at Sterling Bank and Remita’s databases, carting away large amounts of data.
ByteToBreach, the cyber-criminal actor involved in breaching and trading stolen data, targeting large multinational corporations with extensive customer databases, such as airlines, large commercial banks, and even large government entities, has claimed the attack. A 2025 report on BytetoBreach traced the entity’s earliest activities to around mid 2025, with operations on platforms such as Telegram, WordPress, and platforms used for data leaks and hacking tools.
Another report analysing ByteToBreach’s targeting pattern shows that financial service providers accounted for the majority of ByteToBreach’s victims. This was followed by organisations in the telecommunications sector, with a further concentration on technology-driven firms, which include data centres, payment processors, and other infrastructure players operating within the digital economy. The cyber-attacker also targeted government bodies and institutions, and health care centres.
BytetoBreach’s first headline attack was on Sterling Bank, between March 18 and 27, 2026. According to Websecuritylab, it exploited a known, patchable vulnerability in a web application framework to gain unauthorized remote code execution. Following the access, ByetoBreach exported production data and high-profile details, and even exposed personal details of Abubakar Suleiman, the bank’s own Managing Director and Chief Executive Officer. An estimate of about 900,000 customer accounts and over 3,000 employee records were breached.
Remita, a public integrated payment and government revenue platform, was breached on March 31, exposing up to 3 TB of sensitive data, including KYC records, bank statements, and password hashes, among other material from Remita’s cloud storage. According to Security Intelligence, the breach on Remita was possible through the corridor into Nigeria’s financial system from Sterling Bank. Remita serves as a gateway to financial and transactional data across several institutions.
This intrusion exposes sensitive company data, including company registration details, shareholder information, financial statements and other important data. Responding to the CAC’s breach, the NDPC noted that it had equally opened an investigation reviewing access controls, privacy, vulnerability assessments, and third-party due diligence.
Millions of Nigerians now have their bank Identification Numbers, National Identification Numbers, financial history, and KYC records, amongst others, risking impersonation, financial fraud, and potential misuse for intelligence activities. A breach of this scale opens a Pandora’s box within the country’s business architecture. Given the interconnectivity of these systems, a single compromise can trigger breaches across linked platforms, exposing multiple institutions and data layers simultaneously. The implications of these breaches on the integrity of national security cannot be left unsaid. Breaches of sensitive national and financial platforms can be weaponised for fraud, infiltration of critical sectors, and the masking of illicit financial flows, essentially weakening the state’s ability to monitor and control economic activity.
The question of protection requires a discussion of the existing legal protection, the problem and the means of enforcement. Nigeria’s legal system provides guardrails for data protection. The Constitution of the Federal Republic of Nigeria, 1999, lays the groundwork in S. 37, ensuring the fundamental right to private life of all citizens.
The Nigerian Data Protection Act (NPDA), 2023, is one of the most fundamental laws on data protection in Nigeria. Section 24 (& 39) requires that entities that collect and make use of individuals’ data protect the data and are accountable for its security against unauthorised processing, access, or loss. Section 40 of the act imposes an additional duty on entities in the event of a breach. When a breach occurs, data controllers (as the act describes them in s. 65) are to communicate the breach, the potential consequences, and remedies to the owners. Both parties are also to maintain comprehensive records of the incident, including its scope, impact, and the measures taken in response. As of press time, not only have Sterling Bank and Remita not issued a public statement regarding the breach, they have also not notified customers, the subject of the data, even though the Foundation for Investigative Journalism (FIJ) reported that “documents belonging to innocent Nigerians like Mutiu Adeniyi, Adeleke Afe Sunday, Akingun Olubunmi Olufunke, amongst several others” were visible online.
The Cybercrimes Act, 2024, mandates that organisations immediately report attacks and intrusions to the National Computer Emergency Response Team (ngCERT) coordination centre, and empowers the ngCERT to propose the isolation of affected computer systems or networks pending resolution. Similarly, the Central Bank of Nigeria (CBN) Cybersecurity Framework requires banks to maintain minimum security standards across all their systems, including keeping internet-facing servers patched and protected against known vulnerabilities. It also mandates banks to monitor and secure third-party connections to their infrastructure. Sterling Bank failed on both counts, as an unpatched server gave way to ByteToBreach.
Nigeria’s data protection laws are comprehensive for safeguarding personal data and regulating breaches, but poor awareness, weak enforcement, and limited institutional capacity hinder their effectiveness. Simon Victor, a lawyer and data protection officer, explains that Nigeria’s data protection laws align with global standards like the EU’s General Data Protection Regulation (GDPR). However, there are challenges around implementation, including limited awareness, enforcement constraints, and resource limitations.
Only a few Nigerians understand the value their data carries, its volatility, their surrounding rights, and the available forms of redress they have in court. Business owners like market vendors and the day-to-day artisans (even owners of enterprises on the higher rung of the ladder), and everyday Nigerians are less concerned about the protection of their data, which is often trivialised by institutions. This highlights the urgent need for far-reaching campaigns on the value of people’s data, the need to safeguard it, and the need to hold institutions accountable for its protection.
Many business entities and institutions give very little regard to data protection issues and allocate minimal resources to them. The neglect is compounded by weak enforcement and slow application of the law, which leads to public apathy on data protection.
Poor enforcement is the only reason, despite the confirmation and ongoing NPDC investigation on the breach, Sterling Bank and Remita are yet to publicly acknowledge the breach and notify the victims. Several other high-profile data breaches and leaks have occurred without sanctions or legal redress, as seen with incidents involving national and state institutions. In July 2025, FIJ detailed how a loophole in the National Immigration Service’s website revealed personal information of Nigerians; in July 2025, a report exposed how the Oyo State Teaching Service Commission (TESCOM) left the personal details belonging to staff and job applicants publicly unprotected; in 2018, there was the Arik Air data leak which exposed over 994 files containing sensitive passenger information in an unprotected Amazon S3 bucket. Regulatory consequences and accountability remain scarce.
Clearly, the way out begins with ensuring regulatory bodies do their homework and take enforcement more seriously. This is essential in order to ensure entities and institutions prioritise the protection of users’ and customers’ data. Importantly, data awareness campaigns and sensitisation must be done for citizens, coupled with an understanding of the means of holding entities accountable and to seek redress when rights are violated. The protection of sensitive data belonging to citizens demands urgent and persistent action. Without these, the Nigerian digital infrastructure will continue to be a game for threat actors like ByteToBreach, and the sensitive data of innocent citizens will become trophies in their clutches.
0 Comments
Add your own hot takes