Nigeria’s data protection authority has issued an urgent advisory warning of coordinated cyberattacks on the country’s financial systems and critical digital infrastructure, citing evidence of organised threat actors probing national networks with growing sophistication.
The Nigeria Data Protection Commission (NDPC) said its technical findings point to coordinated cyber activities aimed at financial systems and other critical national assets, describing the threat as a serious risk to both data privacy and national security. The advisory was signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the commission.
The NDPC warned that institutions powering banking services, payment platforms, telecommunications, cloud infrastructure, and public-sector digital services are increasingly vulnerable, with the risk of data breaches and service disruptions rising sharply.
Active Investigations Underway
The advisory does not arrive in isolation. Just days earlier, the NDPC launched a separate investigation into alleged breaches at Remita Payment Services and Sterling Bank, following claims by a threat actor identified as “ByteToBreach” that sensitive customer data, including Bank Verification Numbers, Know Your Customer documents, and transaction records, had been compromised.
The commission has since also announced an investigation into a cybersecurity incident at the Corporate Affairs Commission (CAC), which manages Nigeria’s official corporate registry and handles up to 10,000 business registration requests daily. A serious breach there could expose the records of millions of registered businesses and their directors.
Presidential Directive Invoked
The NDPC invoked President Bola Tinubu’s directive declaring that “data is the new oil,” calling on Ministries, Departments and Agencies (MDAs) to rigorously capture and safeguard information in line with the Nigeria Data Protection Act, 2023.
The commission outlined a range of technical measures it expects organisations to implement without delay. These include appointing trained and certified Data Protection Officers, implementing comprehensive privacy policies, conducting Data Privacy Impact Assessments, deploying multi-factor authentication, adopting zero-trust security architecture, and continuously patching system vulnerabilities.
Organisations were also directed to implement real-time monitoring, logging and threat detection systems, alongside encryption and secure credential management, as well as conduct regular vulnerability assessments and penetration testing on critical systems.
Legal Exposure for Non-Compliance
The NDPC warned that organisations failing to comply risk facing legal consequences, noting that enforcement mechanisms under the Nigeria Data Protection Act are already active. The commission added that it stands ready to provide regulatory support to institutions seeking to align with required standards.
The string of incidents signals a broader shift in Nigeria’s threat landscape. As digital adoption accelerates across banking, commerce, and public services, the systems underpinning that growth have become prime targets, and regulators are now signalling that voluntary compliance is no longer sufficient.