The Nigeria Data Protection Commission (NDPC) has initiated comprehensive investigations into recent cyberattacks affecting multiple key Nigerian institutions, including the Corporate Affairs Commission (CAC), Sterling Bank, and Remita Payment Services. These probes underscore a growing concern over the increasing sophistication of threat actors targeting Nigerian databases and the lax data security practices prevalent across various organizations.

The NDPC's intervention, announced on April 17, 2026, and overseen by National Commissioner Dr. Vincent Olatunji, is mandated by Section 46(3) of the Nigeria Data Protection Act 2023. The investigation into the CAC breach will scrutinize access controls, data privacy impact assessments, vulnerability checks, security testing, and due diligence on third-party data processors. While the CAC publicly acknowledged "unauthorized access to limited aspects" of its systems on April 15, evidence presented by the threat actor, known as "ByteToBreach," suggests a far more extensive compromise.

The CAC's system exhibited fundamental security flaws, including the use of sequential integers for staff user IDs, which allowed ByteToBreach to gain a valid login token without a password or any second authentication factor by simply counting upward through IDs. Furthermore, a second access path through the CAC’s document management system permitted direct file downloads from a public-facing subdomain, with knowledge of the filename being the only barrier to access. This demonstrates a critical lack of authentication and security in a foundational national registry.

The compromised CAC data is highly sensitive, representing the legal ground truth of Nigerian corporate life. It includes authoritative records of directors, shareholders, registered addresses, board resolutions, passport scans, and National Identity Numbers (NINs). ByteToBreach claims to have downloaded approximately 25 million documents, totaling 759 gigabytes of data, with administrative access across 474 roles within the CAC's administrative portal, directly contradicting the agency's understated public statement.

Separately, ByteToBreach also exploited Sterling Bank's systems. The actor gained entry through a known, maximum-severity vulnerability on a testing server that the bank had left unpatched for three months. ByteToBreach spent nine days documenting the contents, revealing a significant institutional oversight in maintaining robust cybersecurity posture.

Alarmingly, Sterling Bank reportedly engaged in ransom negotiations of €250,000 with ByteToBreach, which stretched across weeks, yet failed to issue any public statement or customer notification since March 27. This conduct is in direct violation of data protection laws and left hundreds of thousands of customers unaware of the potential compromise of their sensitive data while their bank was in back-channel discussions with the perpetrator.

Remita Payment Services suffered collateral damage in the Sterling Bank breach. ByteToBreach discovered production credentials for Remita's systems stored in plaintext within a code repository accessed via Sterling Bank. This incident highlights the interconnectedness of digital systems and the cascading impact of security failures, as Remita was never the primary target but became compromised due to another entity's poor data handling practices.

The Nigeria Data Protection Act (NDPA) 2023 explicitly mandates data controllers, including financial institutions and government agencies, to notify the NDPC within 72 hours of becoming aware of a breach posing risk to individuals, and to notify affected individuals without undue delay. The institutional silence from Sterling Bank, Remita, and the Corporate Affairs Commission following these breaches constitutes a direct and ongoing violation of these statutory obligations, demonstrating a severe lapse in transparency and accountability.

Moreover, the Nigeria Data Protection Regulation (NDPR) 2019 requires institutions to implement reasonable security measures to protect personal data. The unpatched maximum-severity vulnerability at Sterling Bank, plaintext production credentials at Remita, and the unauthenticated government registry at CAC all fall far short of what constitutes reasonable security. These failures expose significant regulatory liabilities for all three institutions.

These incidents are not mere acts of fate but clear institutional failures. As ByteToBreach himself stated, "Protecting Nigerians is not my responsibility. That’s the duty of the government." The vulnerabilities exploited were not hidden or obscure; they were findable by anyone who cared to look. The regulatory framework, which should have caught these issues proactively, evidently did not.

The lack of a basic acknowledgment or apology from the affected organizations to the millions of ordinary Nigerians whose personal and corporate data may have been compromised is particularly unsettling. Instead, individuals received silence from the institutions obligated to protect their data, while the hacker provided a calm, detailed account of the breaches. This normalcy of open security doors and institutional quietude calls into question the assertion of data security across Nigeria’s digital economy, demanding that institutions prove, rather than merely claim, that their systems are truly secured.