NDPC probes Remita, Sterling Bank over alleged data breach

The Nigeria Data Protection Commission (NDPC) has launched an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities following claims by a threat actor that sensitive customer data was compromised.

In a statement released on Sunday and signed by Babatunde Bamigboye, NDPC’s head of legal, enforcement, and regulations, the commission confirmed that a notice of investigation was served on April 1, 2026, and that relevant parties have begun providing information to address the incident.

“The investigation by NDPC covers, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects, and the mitigation measures carried out where a breach is confirmed,” the statement read.

What the alleged breach involves

The investigation became necessary following claims made by a threat actor known as “ByteToBreach” on dark web forums. ByteToBreach alleges that they gained unauthorised access to the systems of both Sterling Bank and Remita.

On March 27, 2026, Sterling Bank allegedly experienced a data breach. This breach reportedly compromised around 900,000 customer accounts and more than 3,000 employee files. The stolen data reportedly includes Bank Verification Numbers, account information, transaction records, loan details, and identity documents.

Days later, on March 31, the same actor claimed to have extracted approximately 3 terabytes of data from cloud storage infrastructure linked to Remita, Nigeria’s major payment processing platform used for government and corporate transactions.

The alleged Remita breach was said to include over 800 gigabytes of Know Your Customer (KYC) documentation. It also includes passports, identification cards, bank statements, photographs, and utility bills, as well as databases, source codes, application logs, and over 35,000 password hashes.

Also read: GTBank appeals $257k fine in breach of agreement case in Kenya

Cybersecurity analysts tracking the claims noted that, if verified, the breach could involve the records of millions of Nigerians and potentially compromise government-linked Hardware Security Module keys.

Increased government oversight of digital payments

NDPC CEO Dr Vincent Olatunji has ordered investigations into organisations that use digital payment systems but lack the technical and organisational safeguards mandated by the Nigeria Data Protection Act 2023. This action aims to protect the integrity of the digital payment ecosystem.

Under the Nigeria Data Protection Act 2023, organisations must notify the NDPC within 72 hours of becoming aware of a breach likely to affect the rights and freedoms of individuals. Where breaches create a high risk of fraud, identity theft, or financial harm, affected users must also be informed directly.

The investigation represents the latest high-profile regulatory action by the NDPC aimed at reinforcing data protection compliance in Nigeria’s rapidly expanding fintech and banking sectors.

In February, the agency ordered an inquiry into the operations of global e-commerce platform Temu over potential violations of the NDP Act 2023.

Remita, operated by SystemSpecs, plays a central role in Nigeria’s financial infrastructure, processing government salaries, pensions, and corporate transactions. Sterling Bank is a licensed commercial bank serving hundreds of thousands of customers across Nigeria.

The NDPC reiterated that the investigation aims to protect users’ personal data and ensure compliance across the fintech and banking sectors.

As of the time of publication, neither Remita nor Sterling Bank has issued official public statements confirming or denying the alleged breaches.

The post NDPC probes Remita, Sterling Bank over alleged data breach first appeared on Technext.