Remita/Sterling Bank Data Breach Probe: The Nigeria Data Protection Commission (NDPC) launched an investigation

The Nigeria Data Protection Commission (NDPC) has launched a formal investigation into alleged data breaches involving Remita Payment Services Ltd., Sterling Bank, and other related entities. The probe, which began with the service of a formal Notice of Investigation on April 1, 2026, aims to determine the scope, nature, and impact of the reported incidents on Nigerian citizens' personal and financial data.

Background: Claims by Threat Actors on the Dark Web

The investigation follows public claims by a threat actor known as ByteToBreach, who allegedly posted details of significant data compromises on dark web forums in late March 2026.
For Sterling Bank, the actor claimed access to sensitive information from approximately 900,000 customer accounts and over 3,000 employee records. Reported data types included:

• Bank Verification Numbers (BVNs)

• NUBAN account details

• Passport and driver's license information

• Transaction histories

• Loan records

• Credit scores

• Employee details (up to senior leadership levels)

The actor further alleged that the compromised Sterling Bank infrastructure was used to facilitate attacks on external systems, including Remita.

For Remita, described as one of Nigeria's major payment and transaction processing platforms, the claims were even larger in scale. Reports suggested exposure of around 3TB of Amazon S3 storage, including:

• Hundreds of gigabytes of KYC documents (IDs, passports, photos, bank statements, utility bills)

• MySQL/Postgres databases

• Logs and docker registries

• Source code

• Government HSM keys

• GitKraken backups

• Over 35,000 password hashes

• Multiple additional databases

These materials were reportedly leaked or offered on cybercrime forums such as DarkForums.su. The claims remain unverified by independent sources or the affected companies at the time of reporting, but they raised immediate concerns about risks to millions of Nigerians using digital payment systems.

NDPC's Response and Scope of the Investigation

In a statement released around April 5–6, 2026, and signed by Babatunde Bamigboye, Esq., Head of Legal, Enforcement & Regulations at the NDPC, the Commission confirmed it had served notices on Remita Payment Services Ltd., Sterling Bank, and other entities. Relevant parties have begun providing information to support the probe.

The investigation focuses on several key areas:

• The types and categories of personal data potentially involved.

• The nature, scope, and root causes of any confirmed breach.

• Potential risks to data subjects (Nigerian citizens and customers).

• Mitigation measures implemented by the organizations (if a breach is established).

• Compliance with the Nigeria Data Protection Act, 2023 (NDP Act), particularly requirements for technical and organisational safeguards in digital payment ecosystems.

Dr. Vincent Olatunji, National Commissioner/CEO of the NDPC, emphasized that the probe extends beyond the specific incidents. Organizations deploying digital payment systems without adequate data protection measures may face broader scrutiny to safeguard the integrity of Nigeria’s fintech and banking sectors.

Why This Matters

Remita is a widely used platform for government and private sector payments in Nigeria, handling billions of transactions annually. Sterling Bank is a prominent commercial bank. Any compromise could expose millions to risks such as identity theft, financial fraud, phishing, and impersonation.The incidents highlight ongoing challenges in Nigeria’s rapidly growing digital economy, including vulnerabilities in cloud infrastructure, API security, patching practices (e.g., alleged exploitation of Oracle WebLogic remote code execution flaws in related claims), and third-party dependencies.Current Status (as of early April 2026)

• The NDPC investigation is active and ongoing.

• Affected entities are cooperating by supplying information.

• No official confirmation of the breach scale or data exfiltration has been released by Remita, Sterling Bank, or the NDPC.

• No public statements detailing specific impacts on individual customers have emerged from the companies involved.

Users concerned about their data are advised to monitor their accounts closely, enable multi-factor authentication, watch for suspicious activity, and report any issues to their banks or the NDPC.

This story is developing rapidly.

• Headline: “NDPC Launches Probe into Alleged Massive Data Breaches at Remita and Sterling Bank”

• Introduction: Summarize the trigger and NDPC action.

• The Claims: Detail what threat actors alleged (with caveat that claims are unverified).

• NDPC Investigation: Quote key parts of the official statement.

• Implications: Discuss risks to users and the broader fintech sector.

• What Users Should Do: Practical advice.

• Conclusion: Call for stronger data protection in Nigeria.

Disclaimer:

This article is based on public reports and statements from the Nigeria Data Protection Commission (NDPC) as of April 2026. The alleged data breaches remain under investigation and have not been officially confirmed by Remita, Sterling Bank, or the NDPC. Information may be subject to updates or corrections. Readers are advised to verify details from official sources and monitor their accounts for any suspicious activity.

Strictly for educational purpose only.

References

• Nigeria Data Protection Commission (NDPC) official statements via major Nigerian media outlets (April 5–6, 2026).

• Punch Newspapers: “NDPC probes Remita, Sterling Bank over data breach” (April 5, 2026).

  punchng.com

• Vanguard News: “NDPC probes Remita, Sterling Bank over alleged data breach” (April 5, 2026).

  vanguardngr.com

• The Guardian Nigeria: “NDPC investigates bank, payment platform for alleged data breach” (April 6, 2026).

  guardian.ng

• Daily Post Nigeria: “Data protection: NDPC investigates Remita, Sterling Bank over alleged data breach” (April 6, 2026).

  dailypost.ng

• Sahara Reporters and other reports detailing claims by threat actor ByteToBreach on dark web forums (late March 2026).

  saharareporters.com

All information regarding the scale of alleged data exposure (e.g., 900,000+ Sterling Bank records or 3TB of Remita data) originates from unverified claims posted on dark web/cybercrime forums and has not been independently authenticated.