With cyber attacks in Nigeria becoming increasingly frequent, Condia spoke with information security experts to examine the causes, implications, and how a responsible organisation should respond. We also share practical tips to help strengthen your cyber defences.
Breaking Down The Recent Wave of Data Breaches
Nigeria’s digital economy has grown faster than its ability to protect it. As government agencies digitise services and startups scale rapidly, the sensitive data of millions of Nigerians is moving online. These online platforms are often underfunded, undertested, and underprepared for the threats they face, making the agencies/corporations vulnerable to attackers.
In March, a cyber attacker known as ByteToBreach exploited a vulnerability in Sterling Bank’s systems that the bank had left unpatched for three months. Inside the bank’s code repository, the attacker found Remita’s production credentials stored in plaintext. Remita was not the intended target, but paid the price for Sterling Bank’s negligence. Neither organisation informed their customers.
Related Post: NDPC opens investigation into Remita, Sterling Bank over data breach claims
ByteToBreach claimed access to approximately one million Sterling Bank customer accounts and over 3,000 employee records, including BVNs, NUBANs, passport details, transaction histories, loan records, and credit scores. Even the CEO and Board Chairman were affected. The Remita breach exposed roughly 3 terabytes of data from a misconfigured Amazon cloud storage bucket, containing hundreds of thousands of identity documents and transaction records.
In April, the Corporate Affairs Commission reported unauthorised access to parts of its digital infrastructure, with NITDA already involved in the response. This follows the hacking of the National Bureau of Statistics website in December 2024. What these incidents reveal is not simply a technical failure. They tell a deeper problem with how Nigerian institutions think about data, accountability, and the people whose information they hold.
Condia spoke with Samuel Modupe, Chief Information Security Officer at VFD Group, to understand the causes of these recurring data breaches. According to him, most of these data breaches are caused by unpatched vulnerabilities, misconfigurations, stolen credentials, insider threats, and weak controls. The implications can be devastating for organisations, potentially resulting in financial loss, regulatory fines, and reputational damage.
“The data breach can include financial losses from fraud, especially on financial platforms. Another consequence is regulatory fines. In Nigeria, negligence leading to a breach costs 2% of gross annual revenue. There’s also reputational damage: customers lose trust in your brand and its ability to deliver,” Modupe said.
Related Post: A talent shortfall threatens cybersecurity in Africa
Inside a data breach scenario
Emeka Ndulu, an information security expert, also shared his experience dealing with a cyber attack. Hackers breached a Nigerian SME he worked with because they used single-factor authentication instead of multifactor authentication. “The attacker gained access, moved laterally within the environment, elevated their privileges to admin level, and began spinning up virtual machines on Microsoft Azure,” he said.
Attackers often use such maliciously deployed cloud resources to create a bot network that simulates human cloud-based interactive sign-ins. Credentials typically reach attackers in three ways: employees using work email to register on third-party sites, phishing emails that trick users into revealing passwords, and keyloggers embedded in compromised websites that silently capture login details.
Once inside, attackers set up Connectors configured in Exchange Online to accept emails based on IP addresses on behalf of compromised users. Hidden inbox rules then redirect bounce-backs and failed deliveries to secret folders, keeping the compromised user completely in the dark.
The endgame is often financial. A contact receives an email that says, “Disregard the previous invoice, use this one instead.” The payment goes to the wrong account. By the time anyone notices, the money is gone.
How digitally responsible organisations respond to data breaches
How an organisation responds to a breach often matters as much as the breach itself. Get it right, and trust can be rebuilt. Get it wrong, and the damage is permanent. Precedents exist on how to handle the situation well or totally mismanage it. Let’s examine what good and bad responses look like in practice.
Microsoft’s 2021 response to the Exchange Server vulnerability exemplifies best practice: they released emergency patches within days, published clear technical guidance, and communicated openly with affected organisations rather than waiting for a scheduled update.
Equifax in 2017 was the opposite: it waited six weeks to disclose a breach affecting 147 million people, then faced a flawed notification site, overwhelmed support, and a $575 million FTC settlement after executives sold shares early. Kenya’s 2023 response to the eCitizen attack was imperfect but transparent, with a prompt public acknowledgement, clear explanation of the attack, and a restoration timeline.
Security must be built in from the design stage, not bolted on afterwards. Every API connection must require authentication. Without it, a malicious actor can identify the exposed endpoint and walk in.
Related Post: Top five cybersecurity predictions for African businesses in 2023
“These frameworks can be a guideline: the Zero Trust principle and the Open Web Application Security Project (OWASP). OWASP flags broken authentication, broken authorisation, and flawed business logic as the most exploited vulnerabilities. Another framework is rate limiting, which, along with expiring tokens after a set time, helps shut down brute-force attempts before they succeed,” Ndulu said.
On identity, phishing-resistant MFA is the most effective control available. Passkeys, FIDO security keys, and Windows Hello for Business, which combines facial recognition, fingerprints, and a device-locked PIN, can also make remote compromise nearly impossible.
Furthermore, notify regulators within 72 hours, and clearly inform affected users of what was exposed, what is being done, and what they should do next. Finally, they own it publicly. Leadership acknowledge the failure and explains what is changing. Vague statements about “taking security seriously” are not an exercise of accountability.
Culture decides who handles breaches well. The good ones build security like infrastructure and lead with the truth. The bad ones manage PR first, people second. That’s what kills trust. Modupe said, “It’s not a matter of if but of when. The crucial thing is how you respond and communicate if a cybersecurity or data breach happens.”
Building a Resilient Cyber Defence
As attackers become increasingly sophisticated and use AI-driven tools, organisations must update their cybersecurity defences. Regulatory compliance requirements are also constantly evolving. According to Ndulu, companies must move on from outdated software and static policies that leave critical vulnerabilities exposed.
“Some of the outdated security still common today are over-reliance on passwords, using multiple security tools to do the same function, SMS-based multifactor authentication, and not automating your defence,” Ndulu said.
He explained that a smarter alternative to passwords is passwordless authentication. Embedding a security-first mindset from the start by training and empowering users. Rather than adopting multiple security tools that duplicate functionality, a better approach is to leverage a single tool that ingests all your logs in one place and proactively monitors your security posture.
SIM swap attacks and man-in-the-middle calls, which enable fraudsters to impersonate support staff to extract OTPs, are becoming more rampant. The answer to that is passwordless authentication. This is a number-matching prompt or push notification delivered only to a pre-registered app like Microsoft Authenticator or Google Authenticator.
Related Post: NITDA boss calls for stronger global cybersecurity cooperation at WEF
Furthermore, organisations remain reactive when threats happen during the holiday. With tools like Security Orchestration, Automation and Response (SOAR), suspicious activity, such as impossible travel or session hijacking, triggers an automatic response without waiting for a human to pick up the phone.
Organisations need to monitor their systems closely to spot threats early. They also need to protect every part of their digital setup and always have backups ready, so that if something goes wrong, they can get back to business as quickly as possible. “It is not a matter of if a breach will happen, but when. What truly separates resilient organisations from vulnerable ones is not the absence of attacks, but the strength of their response when one occurs,” Modupe said.
Get passive updates on African tech & startups
View and choose the stories to interact with on our WhatsApp Channel
Explore
