.png)
Introduction
In the past decade, Nigeria’s financial services and fintech sectors have undergone a transformation of remarkable speed. The migration of banking, payments and identity verification to digital infrastructure has produced enormous efficiencies but it has also created vast depositories of sensitive personal data whose security cannot be taken for granted. The Nigerian Data Protection Bureau (NDPB), before the establishment of the Nigeria Data Protection Commission (NDPC), had flagged the financial sector as one of the most worrisome in terms of data privacy compliance, and the Commission’s enforcement actions have borne this out, with several banks investigated and fined for violations of data privacy by 2023.
In late March 2026, a cybercrime tracking platform announced on social media that a massive dataset allegedly sourced from Remita had been leaked on a dark web forum. Within days, a separate threat actor claimed to have breached Sterling Bank's systems. The Nigeria Data Protection Commission (NDPC) responded swiftly, serving Notices of Investigation on both entities on 1st April 2026.
The incident is still unfolding, and no breach has been formally confirmed. However, its significance for Nigerian data protection law is already clear because the allegations have revealed the gap between compliance as a formality and compliance as a practice. This article examines the data security obligations that the Nigerian Data Protection Act (NDPA) 2023 and the General Application and Implementation Directive (GAID) 2025 impose on data controllers and processors, analyses how those obligations map onto the alleged facts of the Remita and Sterling Bank incident and draws practical lessons for organizations operating in data-intensive sectors.
Key Definitions under the NDPA
What is Personal Data?
The NDPA defines personal data as any information relating to an individual who is identifiable whether directly or indirectly. Identification may occur through a direct identifier such as a name, or through an indirect identifier such as an IP address, a BVN, or other online identifiers. It may also arise from information relating to a person’s physical, genetic, psychological, cultural, social, or economic identity. In practical terms, if information can be used whether on its own or in combination with other data to identify a person, it qualifies as personal data under the NDPA.
Who is a Data Controller
A data controller is defined under Section 65 of the NDPA as an individual, private entity, public commission, agency, or other body who, alone or jointly with others, determines the purpose and means of processing personal data. Put simply, the data controller decides why personal data is collected and how it is used. In practice, data controllers are typically the entities that maintain direct relationships with the individuals whose data is collected, for instance an employer who manages employee records; a fintech company that onboards customers; or a retail business that collects consumer data for marketing purposes.
Who is a Data Processor?
A data processor, also defined under Section 65 of the NDPA, is an individual, private entity, or other body that processes personal data on behalf of or at the direction of a data controller or another data processor. Unlike a controller, a processor does not determine the purpose of processing; it operates strictly within the instructions of the controller. In practice, data processors include cloud service providers, payment processors, payroll administrators, customer support vendors, and IT service providers. Remita, as a payment processing platform engaged by institutional clients, would in most of its processing relationships be characterized as a processor. Sterling Bank, with direct customer relationships and full control over the purposes of its data processing, would be a controller.
What is a Data Controller or Processor of Major Importance (DCPMI)
Under the NDPA and the GAID, an organization qualifies as a Data Controller or Processor of Major Importance (“DCPMI”) and is required to register with the NDPC within six months if it meets any of the following criteria:
• it processes the personal data of more than 200 data subjects within any six-month period;
• it provides commercial ICT services on digital devices storing personal data belonging to another individual; or
• it processes personal data in any of the following sectors: aviation, communication, education, electric power, export and import, financial services, health, hospitality, insurance, oil and gas, tourism, e-commerce, or public service.
DCPMIs are classified into three tiers based on the scale and volume of data processed: Major Data Processing Ultra High Level, Major Data Processing Extra High Level, and Major Data Processing Ordinary High Level. Each tier attracts distinct compliance standards, reporting requirements, and penalty thresholds.
Data Security Obligations under the Nigerian Data Protection Act 2023 and the General Application and Implementation Directives (Gaid) 2025.
A. Core Obligations Under the NDPA 2023
The NDPA 2023 establishes a general obligation on data controllers and processors to implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, or destruction. This obligation requires measures that are appropriate to the nature of the data, the risks presented by the processing, and the state of available technology, a formulation that demands ongoing assessment rather than a one-time compliance exercise.
Section 24(1)(a) of the Act mandates that a data controller or processor to ensure that personal data is processed in a fair, lawful and transparent manner. The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should also provide the data subject with any further information necessary to ensure fair and transparent processing, taking into account the specific circumstances and context in which the personal data is processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling.
Section 29 of the NDPA provides that where a data controller engages the services of a data processor, or a data processor engages the services of another data processor, the data controller or data processor engaging another shall ensure that the engaged data processor- (a) complies with the principles and obligations set out in the Act as applicable to the data controller. A data controller or processor must not be in default or defiance of the rules and responsibilities under the Act. In fulfilment of their obligations under the Act, the data processor or controller shall engage and provide appropriate information, technical and organizational measures, particularly to ensure the security, integrity, and confidentiality of personal data.
Data controllers and processors must ensure data is processed in a manner that guarantees appropriate security, including protection against unauthorized or unlawful processing, access, loss, destruction, damage, or any form of data breach. Section 39 of the NDPA equally mandates that “a data controller and data processor shall implement appropriate technical and organizational measures to ensure the security, integrity and confidentiality of personal data in its possession or under its control, including protections against accidental or unlawful destruction, loss, misuse, alteration, unauthorized disclosure, or access.
The NDPA also imposes breach notification obligations in Section 40(2) of the Act, where a personal data breach occurs and is likely to result in a risk to the rights and freedoms of data subjects. The data controller must notify the NDPC without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to data subjects, those individuals must also be notified directly. The rationale behind this obligation is that timely notification enables the NDPC to intervene swiftly and limit regulatory harm, while direct notification to affected data subjects empowers them to take protective action.
B. Obligations Under GAID 2025
Firstly, the GAID mandates that data controllers and processors of major importance to conduct audit of online devices through which personal data is accessed as often as necessary to ensure data security. Article 7 of the GAID also requires controllers and processors to prepare and follow documented schedules for the monitoring, evaluation, and maintenance of their data security systems covering training, software updates, vulnerability testing, encryption reviews, authentication checks, and hardware assessments. These schedules must be certified by a qualified information security officer and, critically, must be supplemented by continuous monitoring that operates independently of any fixed schedule, calibrated to the evolving risks of the processing activities in question.
Furthermore, Article 31 addresses the security of data processing software specifically. Before deploying any software used to track data subjects or process their personal data, a controller or processor must conduct a DPIA, design the software in accordance with privacy-by-design and privacy-by-default principles, and provide data subjects with a pre-installation privacy statement that discloses the specific technical measures implemented.
In addition, Article 33 governs breach notification and compliance auditing together, and the pairing is deliberate. On notification, a controller must report any breach likely to affect data subjects' rights to the NDPC within 72 hours of awareness and must notify affected individuals immediately where the risk to their privacy is high. Where immediate disclosure could assist in containing a breach at a national or sectoral scale, that obligation accelerates further such that the 72-hour window yields to an immediate duty. On auditing, controllers and processors must adopt a risk-based approach that maps vulnerability across the entire processing chain people, processes, and technology. Where personal data is accessible through an online device, that device must be audited as frequently as possible. Ultra-High Level and Extra High-Level entities must additionally file annual Compliance Audit Returns through a licensed DPCO, with a 50% administrative penalty attaching to any late filing.
The Distinction between a Data Controller and a Data Processor and their Shared Liability
The distinction between data controller and data processor is very important because it has direct implications for where liability lies and how it is distributed in the event of a breach. A data controller determines the purposes and means of processing; a data processor acts only on the controller's instructions. Remita as a payment processing platform engaged by institutional clients, would in most of its processing relationships be characterized as a processor. Sterling Bank, with direct customer relationships and full control over the purposes of its data processing, would be a controller. The legal consequences of this characterization are important: a controller cannot outsource its accountability by engaging a processor. Where a breach arises from the processor's inadequate security measures, the controller remains exposed if it failed to conduct adequate due diligence on the processor's security posture, failed to include appropriate security terms in the processing agreement, or failed to monitor ongoing compliance. Both entities therefore face independent exposure, each assessed against its own obligations under the framework.
The Incident and Regulatory Analysis
On 31 March 2026, Dark Web Informer announced on X that a dataset allegedly sourced from Remita had appeared on a cybercrime forum. The claim alleged the exfiltration of approximately three terabytes of data, including over 800GB of KYC documents, passports, identity cards, bank statements, and utility bills as well as internal databases, source code, system logs, and more than 35,000 password hashes. Cyber analysts identified a possible misconfiguration of Amazon S3 cloud storage buckets as the likely attack vector. Separately, threat actor ByteToBreach claimed on 27 March 2026 to have accessed Sterling Bank's systems, alleging exposure of data tied to approximately 900,000 customer accounts and over 3,000 employee records, including BVNs, NUBANs, transaction histories, loan records, and credit scores.
The NDPC responded swiftly by serving Notices of Investigation on 1st April and publicly committing to examine the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects and the mitigation measures taken. The Commission also directed a broader sector-wide review of organizations operating digital payment platforms without adequate safeguards.
Even where a breach has not been formally confirmed, the regulatory consequences of inadequate security measures are not contingent on confirmation. The NDPC’s issuance of Notices of Investigation is itself a significant regulatory event. The following obligations are directly implicated by the alleged facts:
A. Failure to Implement Appropriate Security Measures
The alleged breach, if confirmed, would constitute a failure of the most fundamental obligation the duty to implement appropriate technical and organizational measures. Cloud storage misconfiguration is a well-documented and preventable class of vulnerability. A robust security monitoring schedule under Article 7 of the GAID, combined with continuous monitoring, should have identified and remediated this exposure before a threat actor was able to exploit it.
B. Controller Accountability for Processor Failures
In the Remita scenario, institutional clients that engaged Remita as a payment processor cannot insulate themselves from liability by attributing the breach to their processor. Under Section 29 of the NDPA, a controller that fails to conduct adequate due diligence on its processor’s security posture, or that fails to include and enforce appropriate security terms in its processing agreement, remains independently exposed. The incident therefore raises questions not only about Remita’s compliance but also about the adequacy of its institutional clients’ vendor oversight.
C. Adequacy of DPIA and Privacy-by-Design Compliance
Given the scale and sensitivity of the data allegedly involved including KYC documents, source code, and biometric-adjacent records such as BVNs, the processing activities of both entities would almost certainly have required a DPIA under Section 28 of the NDPA and Article 31 of the GAID before the relevant systems were deployed. The adequacy of any such assessments, and whether the resulting risk mitigation measures were implemented and maintained, will likely form part of the NDPC’s investigation.
Practical lessons for Organizations in Data-Intensive Sectors.
Organizations operating in the financial services, fintech, and broader digital economy should draw the following lessons from these incidents:
• Treat security monitoring as a continuous obligation, not a periodic exercise: GAID’s requirement for continuous monitoring independent of fixed schedules reflects the reality that threat actors do not operate on compliance calendars. Organizations must implement real-time monitoring and automated alerting systems capable of detecting anomalies including misconfigured cloud resources before they are exploited.
• Conduct rigorous vendor due diligence and enforce security obligations contractually: Controllers engaging processors must not simply assume that their vendors maintain adequate security. Section 29 of the NDPA places the burden of ensuring processor compliance squarely on the controller. Due diligence should be conducted before engagement and reviewed on a risk-based schedule thereafter, and processing agreements must include enforceable security requirements and audit rights.
• Operationalize the 72-hour notification obligation: Organizations must have an incident response plan that enables them to detect, assess, and notify the NDPC of a breach within 72 hours. This requires clear internal escalation procedures, pre-designated roles and responsibilities, and pre-drafted notification templates. The clock begins when the organization “becomes aware” not when the breach is confirmed beyond doubt.
• Conduct DPIAs before deploying new systems, not after: The DPIA obligation under Section 28 of the NDPA is a pre-deployment requirement, not a post-incident review. Organizations must embed DPIA processes into their technology procurement and deployment workflows, ensuring that privacy risks are assessed and mitigated before systems go live.
• Invest in staff training as security control: A significant proportion of data breaches have a human element whether through misconfiguration, social engineering, or inadvertent disclosure. Article 7(g) of the GAID’s staff training obligation is a substantive security control that, if properly implemented, can prevent the very incidents the NDPA was designed to address.
• Maintain current, accurate Records of Processing Activities (ROPA). The ROPA requirement under the GAID is an investigative tool. Organizations that maintain accurate and up-to-date ROPAs are better placed to respond to an NDPC investigation, identify the scope of a potential breach, and demonstrate the adequacy of their governance arrangements.
• Register as a DCPMI and file annual Compliance Audit Returns. Registration and annual audit filing are foundational compliance obligations. Organizations that have not yet registered or that are overdue on their CAR filing face the double exposure of a substantive breach and a procedural non-compliance. The NDPC has demonstrated both the willingness and the capacity to investigate and sanction non-compliant entities.
Conclusion
The alleged Remita and Sterling Bank breaches have arrived at a moment of increasing regulatory intensity in Nigeria’s data protection landscape. They illustrate, with considerable clarity, what is at stake when the obligations imposed by the NDPA 2023 and GAID 2025 are not operationalized into the day-to-day functioning of an organization. The framework requires demonstrably effective practices, systems, and cultures of data protection. The NDPC’s swift response serving Notices of Investigation within days of the public disclosures signals unambiguously that the Commission intends to enforce the framework effectively. For organizations in the financial services sector and beyond, the message is clear: the time for reactive compliance is over. Organizations that have not yet conducted a comprehensive review of their data security obligations under the NDPA and GAID should do so without delay before the regulator comes to them.
.jpg)
.png)
