The Nigeria Data Protection Commission (NDPC) has commenced an investigation into an alleged customer data breach involving Sterling Bank, Remita Payment Services Ltd. and other entities.
This was contained in a statement released on Sunday, April 5, and signed by Babatunde Bamigboye, Head, Legal, Enforcement & Regulations at the Commission.
“The Nigeria Data Protection Commission (NDPC) is carrying out an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank and other entities. In line with the Commission’s procedure, Notice of Investigation was duly served on the 1st of April, 2026. Relevant parties and individuals have been providing information for the purpose of addressing the incident,” the statement seen by TechMedia Africa reads in part.
A threat actor identified as ByteToBreach has also claimed responsibility for breaching Sterling Bank, Remita Payment Services Ltd., and other related entities, raising concerns over the safety of customer data.
How Sterling Bank and Remita Customer Data Was Breached
According to documents seen by TechMedia AfricaNairametrics, purportedly from ByteToBreach, the breach involved a large volume of sensitive data linked to customers and staff.
- “900,000~ customers accounts and +3000 employees from Sterling Bank, and a separate database from the majority stake holders, Cardinal Stone.”
The hacker claims the stolen data includes the personal files of top executives, including CEO Abubakar Suleiman and Chairman Olatunji Mayaki. The trove allegedly contains highly sensitive information such as Bank Verification Numbers (BVN), international passports, transaction histories, and credit scores.
ByteToBreach blamed Sterling Bank for the incident, alleging lapses in its security infrastructure.
“Important point: Everything is hosted on the networks and ASN infrastructure of Sterling Bank Plc (ASN > AS328053), and they hold the full responsability for failing to maintain security for their bank. There is no imaginary third party or scapegoat partner involved in this compromise. This is a 100% failure from Sterling Bank.”
NDPC Response to the Breach
The NDPC said it has initiated a probe to determine the extent of the alleged breach and ensure that affected individuals are adequately protected.
“The Nigeria Data Protection Commission (NDPC) is carrying out an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank and other entities. In line with the Commission’s procedure, Notice of Investigation was duly served on the 1st of April, 2026. Relevant parties and individuals have been providing information for the purpose of addressing the incident.”
The Commission added that the investigation would assess the categories of personal data involved, the scale and nature of the breach, the risks posed to affected individuals, and the measures taken to mitigate any confirmed compromise.
NDPC further disclosed that its National Commissioner/CEO, Vincent Olatunji, has ordered a broader review of organisations using digital payment systems.
“Organisations that employ digital payment systems without putting in place appropriate technical and organisational measures as mandated under the Nigeria Data Protection Act, 2023 (NDP Act), will also be examined as part of a wider effort to ensure the integrity of the ecosystem.”
How Cyber Attacks is Affecting Nigeria’s Financial Sector
Data breaches of this nature have previously drawn regulatory scrutiny from the NDPC.
In February 2026, the Commission launched a probe into alleged data exposure involving the e-commerce platform Temu, reportedly affecting 12.7 million Nigerians.
Cyberattacks targeting financial institutions have also continued to rise, often resulting in significant financial losses.
According to the Nigeria Inter-Bank Settlement System, Nigerian banks lost about ₦52.26 billion to fraud in 2024, representing a sharp increase compared to the previous year.
In a recent article, TechMedia Africa reported that in the first half of 2025 alone, Access Bank reportedly recorded losses of N1.64 billion to cyber fraud, while United Bank for Africa and Guaranty Trust Bank lost N288 million and N225 million respectively.
Due to the rising cases of these cyber attacks in Nigeria’s financial sector, the country’s apex bank, CBN, recently directed banks and other financial institutions to implement a Cybersecurity Self-Assessment Tool (CSAT) to strengthen the sector’s resilience against growing cyber threats.