ABUJA — The Nigeria Data Protection Commission (NDPC) has officially launched a full-scale investigation into an alleged major data breach involving Remita Payment Services Limited and Sterling Bank.
In a statement issued on Sunday, April 5, 2026, the NDPC confirmed that formal “Notices of Investigation” were served to both organisations on April 1. The probe follows alarming reports from a threat actor known as “ByteToBreach,” who claims to have exfiltrated over 3 terabytes (TB) of sensitive data, potentially exposing the personal information of millions of Nigerians.
The Scale of the Alleged Breach
According to claims circulating on cybercrime forums since late March 2026, the breach originated from a vulnerability in Sterling Bank’s infrastructure before pivoting to Remita’s systems. The attacker claims to have accessed approximately 900,000 customer accounts and over 3,000 employee records, including names, BVNs, NINs, and transaction histories.
Roughly 3TB of data was allegedly taken from a misconfigured cloud storage bucket belonging to Remita. This includes over 800GB of KYC documents such as international passports, driver’s licenses, and bank statements, as well as core database exports and encryption keys. Security analysts at firms like GreenWare Tech have noted that some leaked samples appear consistent with the hacker’s past activity, although the full extent of the 3TB dataset has not yet been independently verified.
NDPC Enforcement and Directives
The National Commissioner of the NDPC, Dr. Vincent Olatunji, has directed a broader review of all organisations deploying digital payment systems to ensure strict compliance with the Nigeria Data Protection Act 2023. The investigation will examine the nature and scope of the breach, the categories of personal data involved, and the adequacy of the technical safeguards currently in place.
Organisations found operating without mandatory data protection measures will face severe penalties. This follows the commission’s recent precedent of imposing a ₦555.8 million fine on Fidelity Bank for similar violations.
Urgent Advisory for Users
While neither Remita nor Sterling Bank has issued a full official confirmation of the breach’s extent, security experts recommend that all users take immediate protective steps. You should change all banking passwords and PINs immediately and enable multi-factor authentication (2FA) on all financial and email accounts.
It is also critical to closely watch bank statements for unauthorized transactions and be extremely wary of unsolicited calls or messages asking for BVN or NIN “verification.” These are likely phishing attempts using the leaked data to commit identity theft or fraud.
