NDPC Investigates Remita, Sterling Over Data Breach

The Nigeria Data Protection Commission (NDPC) has officially launched a large-scale investigation into Remita Payment Services Limited and Sterling Bank following reports of a potential data breach that may have exposed the sensitive personal and financial information of millions of Nigerians.

The probe, which was confirmed in a statement by Babatunde Bamigboye, the NDPC’s Head of Legal, Enforcement, and Regulations, follows a formal Notice of Investigation served to both entities on April 1, 2026.

The regulatory intervention was triggered by alarming claims from a threat actor known as “ByteToBreach.” Reports circulating on cyber intelligence forums, including the dark web, suggest that approximately 3 terabytes of data were allegedly exfiltrated from cloud storage systems.

The leaked information reportedly includes over 800GB of “Know Your Customer” (KYC) documents, such as international passports, national identity cards, bank statements, and utility bills.

Additionally, the breach is said to involve internal databases, source codes, and password hashes, posing a significant risk to the integrity of the digital payment ecosystem.

According to the NDPC, the investigation aims to determine the full nature and scope of the incident. The Commission is currently assessing the categories of personal data involved and evaluating the technical and organizational measures or lack thereof that were in place at the time of the suspected compromise.

READ ALSO: Rewarding Excellence: State House Sets New Service Benchmark

Both Remita and Sterling Bank are reportedly cooperating with the Commission, providing necessary information to aid the inquiry.

The National Commissioner of the NDPC, Dr. Vincent Olatunji, has warned that this probe may extend to other organizations linked to the breach. Reports suggest that data from various government institutions and private firms, including Zenith Bank and the Oyo State Government, may also be at risk.

Under the Nigeria Data Protection Act (NDPA) 2023, the NDPC has the authority to impose heavy sanctions on any entity found negligent. If a breach of compliance is established, the affected organizations could face penalties of up to N10 million or 2% of their annual gross revenue, whichever is higher.

This move underscores the NDPC’s commitment to enforcing data privacy in Nigeria’s rapidly evolving fintech sector. As the investigation continues, the Commission has urged all organizations deploying digital payment systems to ensure they meet the rigorous security standards required to protect Nigerian citizens from cyber threats.