-
Massive Data Theft Allegations, A group of hackers has allegedly stolen sensitive data from Remita, Sterling Bank, and others.
-
NDPC launches Investigation, The commission issued an investigation notice to determine the details of the alleged data breach.
-
The NDPC will review all organizations using digital payment systems to ensure compliance with the Nigeria Data Protection Act, 2023.
The data protection watchdog in Nigeria has launched a formal investigation into a suspected cyberattack affecting Remita Payment Services, Sterling Bank, and other companies.
The Nigeria Data Protection Commission NDPC started the investigation based on reports originating from dark web platforms regarding potential data leaks.
According to posts, hackers claimed they stole sensitive information pertaining to customers from these financial organizations, these claims have raised concerns about the security of the Nigerian digital payment ecosystem.
On April 1, this year, NDPC issued a Notice of Investigation, and all parties to the investigation have begun to respond with data the watchdog requested in connection with the investigation. Neither Sterling Bank nor Remita has released an official statement about the allegations.
What Hackers Claimed They Stole
The scale of the alleged breach looks massive. A cybercrime tracking platform called Dark Web Informer reported on March 31 that a “massive breach” from Remita appeared on a popular cybercrime forum.
The post states that the hackers assert their theft of 3TB of S3 storage and over 800GB of KYC documentation, including IDs, passports, photographs, bank statements, and electricity bills.
Additionally, the attackers revealed that they accessed MySQL and Postgres databases, Docker registries, logs, government-hosted security keys, source codes, and more than 35,000 password hashes.
A separate report of a breach at Sterling Bank came up just within the same period as this report. If true, this incident could expose millions of Nigerians who use these platforms for daily banking and bill payments.
What the NDPC Investigation Will Look At
The NDPC investigation will focus on several key areas. The Commission will evaluate the types of personal information the hackers exposed, the nature and extent of the incident, and the associated risks to the affected parties and individuals. Also, it will assess the security controls the businesses implemented and their reactions to the breach after the exposure.
The Head of Legal, Enforcement, and Regulations for the NDPC, Babatunde Bamigboye, stated that the purpose of this investigation is to make sure financial organizations maintain adequate protection for the data subjects using proper technical and organizational procedures.
Also, the Commission will look at whether the companies have acted positively to mitigate the breach and help the affected customers.
This investigation comes on the heels of a prior NDPC investigation of the Chinese e-Commerce marketplace Temu for violations of security and privacy. The Temu case involved concerns about online tracking and cross-border data transfers affecting about 12.7 million Nigerian users.
Wider Review of Digital Payment Systems
Dr Vincent Olatunji, the National Commissioner and CEO of NDPC, has ordered a broader review of all organisations that use digital payment systems. He has warned that organizations that lack adequate data protection will face increased scrutiny.
All organizations must comply with the Nigeria Data Protection Act 2023 – it stipulates that all companies shall put in place appropriate measures to prohibit the unauthorized access or use of personal data.
If they violate the rule, they may incur significant penalties. Therefore, the extended scope of this review suggests that the Commission will investigate other Fintech organizations in Nigeria, in addition to Remita and Sterling Bank.
The NDPC has already investigated over 1,300 organizations in sensitive industries like banking, insurance, and pensions for potential data law violations.
For now, millions of Nigerians who use Remita for bill payments and Sterling Bank for banking services must wait for the outcome of the investigation. The NDPC has not yet confirmed whether the breach actually happened or how many customers might be affected.
While Nigerians wait for answers about the Remita and Sterling Bank claims, the AVrecon malware warning serves as a reminder that cybersecurity threats are constantly evolving, from massive data thefts to silent router hijacks, and that staying safe online requires vigilance at every level, from the bank to the home router.
