Nigeria’s data protection regulator is examining what personal data was exposed, how far the breach extends, and whether other payment operators are also at risk.
The Nigeria Data Protection Commission has opened a formal investigation into an alleged breach involving Remita Payment Services Ltd. and Sterling Bank, after a cybercrime platform claimed to have leaked data from both organisations on a public forum.
The incident surfaced on March 31. A platform called Bytetobreach published a list of companies it claimed to have breached, naming both Remita and Sterling Bank. Dark Web Informer flagged the same incident on X. Remita has not responded publicly.
The NDPC confirmed in a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, that a Notice of Investigation was served on the affected parties on April 1, 2026. Relevant parties have since been providing information to aid the inquiry.
The commission is looking at three things: what categories of personal data were exposed, the extent of the breach, and what safeguards, if any, were in place before it happened.
The scope could go wider than the two named companies. NDPC CEO Dr. Vincent Olatunji directed that organisations running digital payment systems without appropriate technical and organisational measures, as required under the Nigeria Data Protection Act 2023, will also face scrutiny as part of a broader review. Remita processes payments for a large portion of government and corporate transactions in Nigeria, so a confirmed breach would have consequences beyond the organisations directly named.
This follows the commission’s February probe into Temu. Preliminary findings in that case indicated Temu handles personal data belonging to around 12.7 million Nigerians. The NDPC has not confirmed a breach in the current case. The investigation is ongoing.
and then