2026 will be remembered as a turning point for cybersecurity in Nigeria. In the span of weeks, two of the country's most significant data breaches were announced, a major cyber heist was uncovered, the Central Bank of Nigeria issued an emergency directive requiring all banks to submit cybersecurity self-assessments, and the Corporate Affairs Commission was breached. The message is clear: Nigeria's financial and government infrastructure is under sustained attack, and a single threat actor is behind much of it.
The Sterling Bank Breach
On March 27, 2026, a threat actor operating under the alias "ByteToBreach" posted claims on a dark web forum that they had breached Sterling Bank, one of Nigeria's mid-tier commercial banks. The alleged haul was staggering: 900,000 customer accounts and over 3,000 employee records.
The data reportedly included Bank Verification Numbers (BVNs), account details, transaction histories, loan records, identity documents, and credit scores. C-suite employee records were also said to be among the exposed data, raising concerns about targeted social engineering attacks against the bank's leadership.
Sterling Bank declined to comment publicly on the claims. ByteToBreach, however, is not an unknown entity. The group is a recognized cross-platform criminal operation with a documented history of targeting financial institutions across multiple countries. Their appearance on this particular forum, with this particular target, was not random. It was deliberate.
The Remita Breach
Four days later, on March 31, 2026, the same threat actor claimed to have extracted 3 terabytes of data from Remita's Amazon Web Services cloud infrastructure. Remita is the payment platform used by the Nigerian government for salary disbursements, pension payments, tax collections, and vendor transactions. This was more than just a corporate breach, because government data would be exposed in this breach.
The 'alleged' stolen data included over 800 gigabytes of KYC documents: national identity cards, international passports, bank statements, and utility bills. Government salary records, pension deductions, tax filings, and contractor invoices were also reportedly compromised. More than 35,000 password hashes, source code repositories, and Docker container registries were part of the haul. Most critically, government Hardware Security Module (HSM) keys were said to be among the compromised data.
Remita's public response was limited. The company issued vague statements referencing "some hitches" with their systems. And for a platform of that size, the lack of transparency raised serious questions about incident response and disclosure obligations.
The FCMB Heist
In a separate incident, First City Monument Bank (FCMB) revealed that it had detected a cyber heist attempt targeting between N2.4 billion and N3 billion. Before the bank's security team could fully contain the attack, approximately N677 million had already been transferred out.
The breach was initially discovered in December 2025, but details only emerged publicly in March 2026. Again; the gap between detection and disclosure highlights the absence of mandatory, time-bound breach notification requirements that are actually enforced.
The CAC Breach
Then, on April 15, 2026, ByteToBreach struck again. This time the target was the Corporate Affairs Commission (CAC), the federal agency responsible for registering every company and business name in Nigeria. The CAC's database holds records on over 3 million registered companies, including director and shareholder personal details, registered office addresses, shareholding structures, financial filings, and corporate governance documents. The commission processes up to 10,000 new business registration requests daily.
Unverified reports from cybercrime-tracking accounts claim that as many as 25 million documents may have been exfiltrated from the CAC's infrastructure. The CAC itself confirmed "unauthorised access to limited aspects" of its information systems but did not specify which systems were affected, what data was accessed, or how many records were compromised. In a public notice signed by management, the commission said it had activated response protocols and was working with the National Information Technology Development Agency (NITDA) and other government agencies to assess the scope and impact.
The commission advised stakeholders to monitor their records on the CAC portal for unauthorized changes, update login credentials immediately, and remain cautious of unsolicited communications.
The fact that the same actor responsible for the Sterling Bank and Remita breaches also hit the CAC points to a sustained, deliberate campaign against Nigeria's most critical institutions, and he claims to have more in store. The question is not if more breaches will occur, but which organizations data will be released next.
The Numbers Tell the Story
These figures are not projections. Nigerian banks faced an average of 18,872 cyberattacks per month in early 2026. Financial losses from cyber fraud nearly tripled in a single year, rising from N17.67 billion in 2023 to N52.26 billion in 2024. In January 2026 alone, Nigerian organizations were hit with ~4,701 attacks per week. And the Nigerian Data Protection Commission now has more than 30 organizations under active investigation.
The Regulatory Response
In the wake of these incidents, Nigeria's regulatory bodies were slow to respond. On April 1, 2026, the Nigerian Data Protection Commission (NDPC) launched a formal investigation covering Remita, Sterling Bank, CRC Credit Bureau, CardinalStone, and more than 30 other entities believed to have been affected by the wave of breaches.
The Central Bank of Nigeria followed with a directive requiring all licensed banks to submit cybersecurity self-assessments within three to five weeks. The directive signalled a shift from passive oversight to active scrutiny, though the self-assessment model still relies heavily on banks honestly reporting their own vulnerabilities.
When the CAC breach surfaced on April 15, NITDA was said to have been brought in to coordinate the technical response, marking the first time the agency has been publicly named as a direct responder to a federal government data breach of this scale.
At a broader level, the Nigerian government announced plans to develop a comprehensive national cybersecurity framework. The Nigeria Data Protection Act of 2023 already provides for penalties, including fines of up to N10 million or 2% of annual gross revenue. But enforcement has been limited. Until now, few organizations have faced meaningful consequences for data protection failures. Whether the current wave of investigations changes that remains to be seen.
What This Means for Nigerian Organizations
The breaches at Sterling Bank and Remita exposed fundamental weaknesses that exist across much of Nigeria's financial infrastructure: cloud misconfigurations, weak access controls, and inadequate monitoring. These are not exotic attack vectors. They are well-known, well-documented vulnerabilities that senior penetration testers identify routinely during security assessments.
Compliance alone is clearly not enough. Sterling Bank, Remita, and the CAC are all regulated entities operating under the supervision of the CBN and other federal bodies. They were still breached. The fact that a single threat actor, ByteToBreach, hit all three targets in quick succession suggests systematic reconnaissance of Nigeria's critical infrastructure rather than opportunistic attacks.
The implications extend well beyond banking. Any organization handling sensitive data, including fintechs, insurance companies, pension fund administrators, healthcare providers, and government agencies, needs to take a harder look at its security posture. The question to ask is not "are we compliant?" but "could we detect and contain an active breach today?"
Regular, genuine security testing is now a matter of survival, not compliance. Checkbox assessments that produce clean reports but never test real attack scenarios offer a false sense of security. What organizations need are thorough assessments conducted by experienced senior penetration testers who simulate the same techniques that actors like ByteToBreach actually use.
Looking Ahead
The attacks on Sterling Bank, Remita, and the CAC are not isolated incidents. They are part of a pattern that has been building for years, now concentrated in the hands of a single threat actor. Nigerian financial institutions are high-value targets, and ByteToBreach has demonstrated that 'they' are well-resourced, patient, and capable of sustained operations against Nigeria's most critical systems, or that these systems are just really weak. Will your organization be ready when it is targetted?
- One threat actor, four targets: ByteToBreach hit Sterling Bank (900K accounts), Remita (3TB of government data), the CAC (potentially 25 million documents), and FCMB (N677 million stolen).
- 18,872 attacks per month on Nigerian banks in 2026. Losses tripled from N17.67B (2023) to N52.26B (2024).
- Regulators are responding: NDPC investigating 30+ organizations. CBN issued emergency self-assessment directives. NITDA coordinating the CAC incident response.
- Compliance did not prevent any of these breaches. The question is not whether you are compliant. It is whether you could detect and contain a breach today.
