Reported by: Ijeoma G | Edited by: Oravbiere Osayomore Promise.
ABUJA, NIGERIA — Nigeria’s data privacy watchdog, the Nigeria Data Protection Commission (NDPC), has launched a comprehensive investigation into alleged data breaches involving Remita Payment Services Ltd., Sterling Bank and several other parties, amid mounting public anxiety over the security of personal and financial information within the country’s rapidly growing digital payments ecosystem. The probe, triggered by claims circulating online and dark web forums, was formally initiated with the issuance of Notices of Investigation on April 1, 2026, after regulators moved to verify whether sensitive user data may have been accessed without authorisation.
The NDPC’s inquiry comes against a backdrop of heightened cybersecurity concerns across Nigeria’s financial sector, where fintech platforms, banks and digital payment processors handle vast volumes of citizens’ personal and financial information. According to an official statement from the commission, the investigation aims to determine the nature, scope and impact of the alleged breach — including exactly which types of personal data may have been affected — and to assess the risks posed to individuals whose information could be compromised. Organisations subject to the probe have already begun submitting information at the request of the commission to support the fact‑finding process.
Babatunde Bamigboye, head of the NDPC’s Legal, Enforcement and Regulations department, said the commission’s objective is to ensure that data subjects — a legal term for individuals whose data is processed — are fully protected by “appropriate technical and organisational measures” as mandated under the Nigeria Data Protection Act, 2023. The law requires all entities handling personal data to employ robust safeguards, report serious breaches where there is risk to individuals, and take timely steps to mitigate harm. Bamigboye stated that the investigation will look at how the alleged breach occurred, the protections that were in place before the incident, and any actions taken to contain or prevent further compromise.
In addition to scrutinising Remita and Sterling Bank, the NDPC’s probe has a broader mandate: regulators intend to review other organisations in the digital payments space to ensure compliance with data protection standards, particularly where technical and organisational safeguards may be insufficient or absent. The commission’s National Commissioner and Chief Executive Officer, Dr. Vincent Olatunji, emphasised that the investigation is part of wider efforts to safeguard the integrity of Nigeria’s digital economy and enforce compliance with the data protection law. Entities found operating without adequate data protection measures face the possibility of regulatory sanctions under the Act.
Although the NDPC has confirmed the investigation, it has not yet publicly verified the specific claims about what data may have been exposed or how the alleged breach occurred. The probe was prompted in part by reports attributed to a dark web or hacker group — widely discussed online — alleging that systems linked to Sterling Bank and Remita were compromised. Those reports, which have not been independently confirmed by authorities, alleged access to data such as identification numbers, financial account information and personal identifiers belonging to customers and possibly employees. The NDPC is now working to substantiate or refute those claims as it gathers facts from the organisations under scrutiny.
Under the Nigeria Data Protection Act, organisations that process personal data are legally required to implement technical and administrative safeguards that are appropriate to the risks involved and proportionate to the nature of the data. Where a breach occurs that poses a risk to the rights and freedoms of individuals, the data controller must report the incident to the NDPC and take steps to mitigate harm and notify affected data subjects. The commission’s current investigation will assess whether those duties were fulfilled and whether any failures in data handling occurred.
The digital payment ecosystem in Nigeria has grown dramatically in recent years, playing a key role in mobile banking, government collections, commercial transfers and broader financial inclusion initiatives. Platforms like Remita — which is widely used by government agencies and private companies for collections and payments — and banks such as Sterling, which offer digital banking services nationwide, manage extensive databases of citizen information. Any confirmed breach affecting these systems could have significant implications for public trust and the wider economy.
So far, neither Remita nor Sterling Bank has issued a detailed official public statement addressing the allegations or confirming whether a breach occurred. The absence of immediate corporate responses has heightened concerns among consumers and digital rights advocates, who have called for greater transparency from financial institutions and stricter enforcement of data protection rules to safeguard citizens’ privacy. Observers have emphasised that clear communication from affected organisations is critical not just to restore public confidence, but also to guide affected customers on protective steps they should take if personal information was exposed.
Industry analysts say the outcome of the NDPC’s investigation could have wide‑ranging consequences for the fintech and banking sectors in Nigeria. A confirmed breach could pave the way for stronger enforcement actions, including fines and mandated security improvements, and could spur broader calls for enhanced cybersecurity practices across all sectors that handle sensitive personal data. Digital economy stakeholders have stressed that as Nigeria accelerates its transition to digital payments and online services, robust data protection governance will be essential to building resilient and secure digital infrastructure.
The investigation also underscores a growing trend of regulatory activism in the area of data protection, with the NDPC positioning itself as a key enforcement body under Nigeria’s 2023 data protection regime. In recent years, the commission has taken action against several organisations for non‑compliance, including notable fines and enforcement directives, signalling that regulators are increasingly serious about cracking down on unsafe data practices and protecting citizens’ privacy rights.
As the NDPC’s inquiry unfolds, Nigerians — especially users of digital financial platforms — are watching closely for further developments, official findings and guidance on mitigation measures. The investigation’s conclusions may shape not only corporate compliance behaviour, but also how consumers interact with digital services in an era where data privacy concerns are rapidly rising.
📩 Stone Reporters News | 🌍 stonereportersnews.com
✉️ info@stonereportersnews.com | 📘 Facebook: Stone Reporters News | 🐦 X (Twitter): @StoneReportNew | 📸 Instagram: @stonereportersnews
Add comment
Comments