NDPC Opens Probe Into Alleged Remita–Sterling Bank Data Breach
Nigeria’s data privacy regulator, the Nigeria Data Protection Commission (NDPC), has launched an investigation into an alleged data breach involving Remita Payment Services Ltd. and Sterling Bank, raising fresh concerns about the safety of sensitive financial and personal data in the country’s digital payment ecosystem.
According to reports, the probe was formally triggered on April 1, 2026, with the NDPC confirming that a Notice of Investigation had already been served on the affected parties. The commission said it is now gathering information from relevant organisations and individuals to determine the nature, scope, and possible impact of the alleged breach on millions of Nigerians.
At the centre of the investigation is the question of whether proper technical and organisational safeguards, as required under the Nigeria Data Protection Act, 2023, were in place and whether those safeguards were sufficient to protect users’ data. The NDPC also indicated that the investigation may be widened to include other organisations using digital payment systems, suggesting that this may not be treated as an isolated incident.
The allegations gained more attention after a dark web actor known as ByteToBreach reportedly claimed responsibility for breaching systems linked to both firms. Claims circulating online alleged exposure of highly sensitive information, including BVNs, NUBANs, identity documents, transaction histories, loan records, and internal employee data. Those claims have not been independently verified in full, but they are serious enough to trigger regulatory scrutiny.
If confirmed, this case could become one of the most significant cybersecurity and privacy incidents in Nigeria’s recent digital finance history. It also puts pressure on both regulators and financial institutions to show that Nigeria’s push toward a cashless and digital economy is being matched with strong data protection and cyber resilience.