The Nigeria Data Protection Commission (NDPC) has opened an investigation into Remita Payment Services Ltd. and Sterling Bank after claims that both were compromised.
On March 31, cyber intelligence account Dark Web Informer said a large dataset linked to Remita was posted on a cybercrime forum. The data is said to be about 3 terabytes from cloud storage. It includes over 800GB of KYC documents such as identity cards, passports, bank statements, and utility bills. The leak also contains databases, logs, source code, password hashes, and backups.
In a separate alert on March 27, Hackmanac, a Dubai-based cybersecurity firm, said a threat actor known as ByteToBreach claimed it breached Sterling Bank. Researchers at KELA Cyber have tracked the group since June 2025. Its past targets include Uzbekistan Airways, Seychelles Commercial Bank, and Viking Line.
Foundation for Investigative Journalism (FIJ) said some exposed files include database folders, SQL code, and structures linked to a Remita system. The files also contain identity documents of Nigerian users. At the time of reporting, Remita had not issued a public statement. People’s Gazette, citing an email from the company, said it reset its API keys but did not mention any breach.
The NDPC issued a Notice of Investigation on April 1, 2026. Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, signed the notice. The probe will review the type of data involved, the scale of the breach, the risks to users, and any steps taken to limit damage. The parties involved are cooperating.
What this means for Nigeria’s digital payment ecosystem
Section 40 of the Nigeria Data Protection Act requires organisations to report a breach to the NDPC within 72 hours of becoming aware of it, if it may affect users. The report must state the nature of the breach, the type of data involved, the number of people affected, and the likely impact.
NDPC National Commissioner and CEO Dr. Vincent Olatunji directed that organisations using digital payment systems without proper safeguards will also be reviewed under the Nigeria Data Protection Act 2023.
The NDPC has already opened a wider probe into 1,369 organisations across banking, insurance, pensions, and gaming. It fined Multichoice Nigeria N766.2 million for unlawful data processing and illegal cross-border data transfer.
The NDPC lists Remita as a data processor of major importance at the ultra-high level. The outcome of this investigation may shape how data breaches in Nigeria’s financial and digital services sector are handled under the 2023 Act.
Get passive updates on African tech & startups
View and choose the stories to interact with on our WhatsApp Channel
ExploreLast updated: April 6, 2026
