Nigeria’s data protection regulator, the Nigeria Data Protection Commission (NDPC), has launched an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities.

The move follows claims by a threat actor who alleged that sensitive customer and institutional data may have been compromised.

In a statement released on Sunday, and signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, the commission confirmed that a formal notice of investigation had been issued on April 1, 2026.

According to the statement, affected organisations have begun submitting relevant information as part of the inquiry.

“The investigation by NDPC covers, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects, and the mitigation measures carried out where a breach is confirmed,” the commission stated according to Vanguard News.

The development marks one of the latest regulatory actions by the NDPC as it seeks to strengthen data protection and ensure compliance within Nigeria’s expanding fintech and banking ecosystem.

Allegations and Scope of the Reported Breach

The probe follows claims made by a threat actor identified as “ByteToBreach” on dark web forums. According to the claims, the actor gained unauthorised access to systems linked to Sterling Bank and Remita, exposing sensitive information belonging to customers and employees.

The alleged incident involving Sterling Bank reportedly occurred on March 27, 2026. According to reports, approximately 900,000 customer accounts and more than 3,000 employee records were affected.

The data reportedly included Bank Verification Numbers (BVN), account details, transaction histories, loan information, and identity-related documentation.

RELATED ARTICLE: Nigerian Fintech Is Under Siege — Remita, Sterling Bank, and FCMB Are All in the Headlines at Once

Just days later, on March 31, the same actor claimed to have accessed cloud storage infrastructure connected to Remita, extracting roughly three terabytes of data.

Remita is widely used for government and corporate payment processing, making the claims particularly significant.

The alleged Remita breach reportedly involved over 800 gigabytes of Know Your Customer (KYC) documentation. These files were said to include passports, national identification documents, bank statements, photographs, and utility bills.

The actor also claimed access to databases, application logs, source codes, and more than 35,000 password hashes.

Cybersecurity analysts monitoring the situation noted that, if verified, the scale of the breach could affect millions of Nigerians.

Some analysts also suggested that the incident could potentially expose government-related Hardware Security Module keys, which are used in securing financial transactions.

However, the NDPC has emphasised that investigations are still ongoing and that the claims remain unverified at this stage.

Growing Regulatory Oversight in Nigeria’s Digital Payment Ecosystem

The NDPC’s Chief Executive Officer, Dr. Vincent Olatunji, has directed that organisations operating digital payment systems without adequate technical safeguards be investigated.

The move aligns with the provisions of the Nigeria Data Protection Act 2023, which requires institutions to maintain robust data protection frameworks.

Under the law, organisations are required to notify the NDPC within 72 hours of becoming aware of any breach that may affect individuals’ rights and freedoms. In situations where the breach poses risks such as fraud, identity theft, or financial loss, affected users must also be informed directly.

The current investigation is part of a regulatory effort aimed at strengthening data protection compliance across Nigeria’s fintech and banking sectors. As digital payments continue to expand, regulators have increased scrutiny to ensure customer data remains secure.

Earlier in February, the NDPC also launched an inquiry into the global e-commerce platform Temu over potential violations of the Nigeria Data Protection Act 2023.

The move signalled a more proactive regulatory stance toward both local and international platforms handling Nigerian user data.

Remita, operated by SystemSpecs, plays a significant role in Nigeria’s financial infrastructure, processing government salaries, pensions, and large-scale corporate transactions.

Sterling Bank, on the other hand, is a licensed commercial bank serving hundreds of thousands of customers across Nigeria.

The NDPC reiterated that the objective of the investigation is to safeguard users’ personal data and ensure compliance across the financial ecosystem.

As of the time of this writing, it is important to note that, neither Remita nor Sterling Bank has released official public statements confirming or denying the alleged breaches.

Protecting Digital Trust in a Growing Fintech Ecosystem

As Nigeria’s digital payment ecosystem continues to expand, data protection has become increasingly critical. Incidents such as alleged breaches highlight the importance of strong cybersecurity frameworks and regulatory oversight.

The ongoing investigation also shows the NDPC’s commitment to protecting personal data and ensuring organisations handling sensitive information comply with legal requirements.

For users, it also serves as a reminder of the growing importance of data security in an increasingly digital financial environment.