N677 million had left First City Monument Bank before its security team could react. Weeks earlier, the records of roughly 900,000 Sterling Bank customers surfaced for sale on a dark web forum. Both ran in the same news cycle under the same one-line summary: another Nigerian bank, another attack. Read past the headline, and the two incidents barely belong in the same sentence. One was an attack on the bank's finances. The other was an attack on its data. A bank built to stop the first can be wide open to the second.
The Money or the Data
A breach is theft of information. The intruder gets in, copies what is valuable, and leaves, often without moving a single Naira. The payday comes later, when the records are resold or used to defraud the exposed customers, and again when the regulator weighs in. A heist is theft of funds in motion. Success is money that clears before anyone reconciles the books, and the damage is immediate.
Those two goals live in different parts of the bank. The data sits in core databases and cloud storage behind the perimeter. The money moves through settlement and transfer systems that only trusted staff and trusted software ever touch. Defend one boundary well and you have done almost nothing for the other. That is the trap the 2026 headlines set.
What Actually Happened at FCMB
First City Monument Bank caught an attempt to move between N2.4 billion and N3 billion out of the bank. By the time the transfer was contained, about N677 million was already gone. The attempt was detected internally in December 2025. The public did not hear about it until March 2026.
The figure is not the interesting part. The method is. You do not push billions of Naira through a bank's settlement systems by guessing at a login screen. It takes knowledge of the plumbing: which accounts to route through, which amounts slip under review, when reconciliation runs, how to make a fraudulent transfer read as routine. That is the signature of an attack from inside the trust boundary, whether the hand on the keyboard belongs to a rogue insider, an insider feeding an outside crew, or an outsider wearing stolen privileged credentials.
FCMB has not published a forensic account, so the culprit is not public. It does not need to be. The mechanics say enough on their own: this attack ran on trusted access.
What Actually Happened at Sterling
Sterling Bank's incident ran the opposite way. A threat actor calling itself "ByteToBreach" claimed to have pulled roughly 900,000 customer accounts and more than 3,000 employee records, then put the haul up for sale. The same actor later claimed Remita and the Corporate Affairs Commission. This is the outside-in pattern: find an exposed service, a misconfigured cloud bucket, or a password used one time too many, take the data, and turn it into money at leisure.
It leaves a different trail too. The early signs are at the edge and in the data: strange authentication, a large outbound copy of records rather than cash, an account suddenly reading files it has no reason to open. The wire-fraud controls that might have caught the FCMB transfer would not so much as blink at a quiet bulk export of customer data.
The Numbers Behind the Two Models
That detection-to-disclosure gap is its own warning. Three months sat between FCMB noticing the attempt and anyone outside the bank hearing about it. When data is the target, that silence leaves customers unable to defend themselves. When money is the target, it is worse: the window to trace and claw back funds closes a little more every day.
Different Crimes, Different Defences
Stopping a heist is about making sure no single trusted hand can move money alone, and noticing fast when a legitimate account starts acting out of character:
- Segregation of duties: initiating, approving, and releasing a large transfer should never collapse into one person logging in twice.
- Behavioural analytics on internal accounts: new payees, odd hours, and amounts parked just under a review threshold are the tells worth alerting on.
- Named, logged, revocable privileged access: every action on a settlement system should trace to a person, not a shared login.
Stopping a breach is the opposite job. Shrink what an outsider can reach, and catch them the moment they get inside:
- Attack surface management: you cannot defend the exposed service or forgotten subdomain you did not know was there.
- Cloud configuration review: Nigeria's recent breaches keep tracing back to storage permissions and key management that nobody checked.
- Penetration testing: our senior penetration testers go looking for those gaps the same way ByteToBreach does, just earlier.
The Line Is Already Blurring
The neat split does not always hold, and the better attackers know it. An outsider who steals a privileged employee's credentials stops looking like an intruder. To every control you own, they are now a trusted insider, which is exactly how a data breach becomes a heist.
So the answer is never one column of controls or the other. The principle that spans both is least privilege: every account, human or machine, carries only the access it truly needs, for only as long as it needs it. Back that with monitoring that assumes any trusted account can be turned against you, and you cover the seam where the two threats meet.
Where to Start
The CBN's self-assessment directive has put every licensed bank on notice, though a bank grading its own homework will only learn so much. Three questions are worth answering honestly this quarter:
- Could one compromised insider move money out today, and would anyone catch it before reconciliation? A perimeter test will never answer that question; the money path needs its own.
- What can an outsider actually reach? Inventory every internet-facing asset and cloud resource, then close what has no reason to be open.
- How fast would you tell anyone? Decide now how and when you notify regulators and customers. Three months of silence is not an incident response plan.
The banks that come through 2026 in good shape will be the ones that stopped asking whether they were hacked and started asking which way. Different locks guard the money and the data. Both have to hold.
- Two attacks, two problems: FCMB lost N677M of money through trusted internal systems; Sterling lost 900K records through the perimeter.
- The defences do not transfer: segregation of duties and behavioural analytics catch heists; attack surface management and penetration testing catch breaches.
- Stolen privileged access erases the line, turning an outsider into an insider. Least privilege plus monitoring is the control that spans both.
- Speed of disclosure is a control. FCMB's three-month gap is the difference between recovering funds and writing them off.
