Nigeria’s data protection regulator has launched an investigation into Remita Payment Services Ltd. and Sterling Bank following reports of a potential large-scale data breach that may have exposed sensitive personal and financial information of Nigerians.
- +NDPC probes Remita, Sterling Bank over alleged data breach
The development was disclosed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC.
The development was disclosed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC.
The Commission confirmed that a formal Notice of Investigation was served on April 1, 2026, to both parties.
The probe, initiated by the Nigeria Data Protection Commission (NDPC), comes after growing concerns over a suspected cyber incident involving both entities.
According to the Commission, the investigation is to determine the extent of the alleged breach and ensure that affected data subjects are adequately protected.
The NDPC’s investigation follows a series of cyber threat alerts circulating online, pointing to potential breaches involving both institutions.
The investigation follows a wave of alarming claims by a threat actor identified as “ByteToBreach,” who alleged responsibility for breaching systems linked to both Remita and Sterling Bank.
Reports circulating online suggest that the alleged breach may not be limited to just the currently investigated entities. Claims indicate that data linked to organisations such as Zenith Bank, Oyo State Government, Leadway Assurance, GetBumpa, and Ahmadu Bello University, alongside more than 30 other companies and government institutions, may have been exposed to the public.
At a time when digital banking and fintech adoption are accelerating across Nigeria, any confirmed breach of this scale could weaken public trust in the system and raise concerns about how securely personal data is being managed.
The implications go beyond reputational damage. Under the Nigeria Data Protection Act 2023, organisations are required to implement strong technical and organisational safeguards to protect user data or risk regulatory action.
If investigations show gaps in compliance, the affected organisations could face penalties of up to N10 million or 2% of their annual gross revenue, whichever is higher, alongside mandatory corrective measures.
Nairametrics reported that the Commission launched a sector-wide investigation into 1,369 organisations suspected of violating provisions of the Nigeria Data Protection Act 2023.
The Commission has also demonstrated its willingness to impose penalties where necessary. In one of its most notable cases, it fined Multichoice Nigeria N766.2 million after finding violations related to unlawful data processing and illegal cross-border transfer of Nigerians’ personal data.
