Nexdel
Breaking Analysis · Data Security & Data Governance
Data Security & Data Governance
Nigeria’s Data Watchdog Is Silent.
A Hacker Claims Your Passport Is Already Online.
A threat actor with a documented global record claims to have extracted three terabytes of data from Sterling Bank and Remita — Nigeria’s central government payment infrastructure. The claims are unconfirmed by either institution. What is confirmed: real identity documents of named Nigerians are already publicly accessible online, the 72-hour legal notification window has expired, and Nigeria’s data protection regulator has not said a word. This is an analysis of what is known, what is alleged, what the law demands, and what your government still owes you.
NX / DS
Nexdel Intelligence
Breaking Analysis · Data Security & Data Governance · April 3, 2026
~14 min read
Read this first — confirmed facts vs unverified claims
A threat actor called ByteToBreach claims to have breached Sterling Bank and Remita. Those claims have not been confirmed by either institution. What has been independently confirmed: journalists at the Foundation for Investigative Journalism (FIJ) personally accessed published files and identified real identity documents — including passports and ID cards — of named Nigerians, still publicly accessible online as of April 3, 2026. If you have ever received a salary through Remita, submitted KYC documents to Sterling Bank, or paid any fee to a federal government agency, you may be among those affected.
ByteToBreach claim — unverified by institutions Independently confirmed fact
3TB Claimed stolen (unverified)
900K Accounts claimed at risk
800GB KYC data claimed taken
35K+ Password hashes (claimed)
3K+ Employee records (claimed)
0 NDPC public statements
◆
The Actor Behind the Claim — And Why Dismissal Is a Mistake
Every major breach claim carries an initial temptation: treat it as noise until proven otherwise. That instinct has its place. But it must be weighed against the actor’s track record — and in the case of ByteToBreach, that track record makes comfortable dismissal difficult to justify.
ByteToBreach is a threat actor with a documented operating history stretching back to at least mid-2025. Global cybersecurity intelligence firm KELA has profiled the actor as a systematic data leak operator — not someone seeking headlines, but someone monetising access to stolen databases across multiple continents and sectors. Prior incidents attributed to this actor include confirmed data exposures at a Scandinavian ferry company, a Central Asian bank, and an airline whose leaked passenger manifests contained records of foreign government personnel. In the Eurofiber case — a European fibre infrastructure company — ByteToBreach’s claim of a breach was independently confirmed by the company itself after the fact.
The pattern this establishes matters: ByteToBreach has been right before. The data it has published in prior incidents has been verified as genuine by affected organisations, independent security researchers, and threat intelligence firms. When this actor makes a claim of this scale about Nigerian institutions, the appropriate response is urgent investigation — not reassurance.
“The test of an institution is not whether it responds when a breach is convenient to acknowledge. It is whether it responds when enforcement is inconvenient, politically costly, and domestically sensitive. Nigeria is at that test right now.”
— Nexdel Intelligence Analysis
◆
What Happened — A Reconstruction of the Known Facts
Nexdel has reconstructed the following sequence from multiple independent Nigerian and international sources. A clear distinction is maintained throughout: what has been independently confirmed, what has been reported by credible outlets, and what originates solely from ByteToBreach’s own forum posts. Neither Sterling Bank nor Remita has confirmed or denied any specific claim. The NDPC has made no public statement.
Mar 27
The Sterling Bank claim — unconfirmed by Sterling Bank ByteToBreach posts on a dark web forum asserting unauthorised access to Sterling Bank Nigeria. The actor claims approximately 900,000 customer records and over 3,000 employee files were taken. The alleged data categories include full names, Bank Verification Numbers, National Identity Numbers, international passports, driver’s licences, credit histories, transaction records, and loan data. These figures originate entirely from ByteToBreach’s own posts and have not been independently verified by any security firm or confirmed by Sterling Bank, which has issued no public statement.
Mar 31
Remita: ByteToBreach’s second claim — partially corroborated, not institutionally confirmed ByteToBreach asserts that Sterling Bank’s infrastructure served as the entry point into Remita’s cloud environment — specifically, a misconfigured Amazon S3 storage bucket. The actor claims to have extracted three terabytes of data, including over 800 gigabytes of Know Your Customer documentation. These volume figures are ByteToBreach’s own claims and have not been independently verified. What has been partially corroborated: journalists at the Foundation for Investigative Journalism (FIJ) accessed published files and confirmed they found genuine identity documents of real, named Nigerians — including passports and ID cards — still publicly accessible on cloud platforms as of April 3, 2026. The full scope of the dataset remains unverified.
Mar 31
Remita communicates — without acknowledging a breach Remita sends a communication to its business partners requesting urgent credential updates and IP configuration changes, attributing the disruption to efficiency improvements. The company does not use the words breach, hack, cyberattack, or data exposure. It does not reference ByteToBreach or the dark web claims. It does not contact the millions of individuals whose data flows through its platform. It promises service restoration by mid-afternoon. Remita has since confirmed systems are “fully operational” but has not addressed the breach allegations directly.
Mar 31
The CBN issues a cybersecurity directive — timing noted, causation unconfirmed On the same day as the Remita claim, the Central Bank of Nigeria issues a directive requiring all licensed banks to complete internal cybersecurity self-assessments within three weeks, with data reflecting their security posture as of December 2025. The CBN has drawn no official connection between this directive and the ByteToBreach claims. Whether the directive was triggered by intelligence about these specific incidents or was already in motion is not known. The timing has been independently noted by multiple observers and security analysts.
Apr 3
Seven days later — institutional silence holds The Nigeria Data Protection Commission has issued no public statement, no investigation notice, and no guidance to affected citizens. The files remain online and accessible. Remita confirms to partners that its systems are fully operational. Not one Nigerian whose data may be compromised has received an official notification.
◆
What the Data Actually Contains — Explained Plainly
Below is a clear-eyed account of what ByteToBreach claims to have taken, what independent journalists have partially corroborated, and what remains unverified. The distinction matters — for accuracy, for legal integrity, and for readers trying to assess their personal risk.
ByteToBreach’s claimed stolen data categories
Red = confirmed present in published files by FIJ journalists | Amber = claimed by ByteToBreach, not independently verified
National ID cards, passports, and photographs — confirmed present in published files by FIJ journalists, who named specific Nigerians whose documents they personally viewed
Bank Verification Numbers (BVN) — claimed by ByteToBreach; not independently verified as part of the dataset
National Identity Numbers (NIN) — claimed by ByteToBreach; presence in dataset not independently confirmed
Bank statements and utility bills — claimed as part of the KYC documentation; not independently verified
Full transaction histories and loan records — claimed by ByteToBreach; not independently verified
Over 35,000 password hashes — claimed published freely; reported by BizWatch Nigeria from forum content, not independently verified
Government HSM cryptographic keys — claimed by ByteToBreach in forum post; not verified by any independent security researcher or institution
Remita source code and Docker infrastructure — claimed by ByteToBreach; not independently confirmed
MySQL and PostgreSQL database dumps — claimed; FIJ confirmed “database folders and SQL codes consistent with a Remita environment” but did not verify full contents
Sterling Bank employee records — claimed as 3,000+ files; not independently verified
Confirmed by independent journalists Claimed by ByteToBreach — not independently verified
The most serious unverified claim in ByteToBreach’s posts concerns government Hardware Security Module keys. If true — and this has not been confirmed by any independent security researcher, affected institution, or regulatory body — the implications would extend well beyond a data breach. HSM keys are the cryptographic anchors of financial transaction systems: what infrastructure uses to verify that a payment instruction is genuine, unaltered, and authorised. A confirmed compromise of these keys would not merely expose historical data. It would raise a forward-looking question about the integrity of every future transaction processed through Remita. Nexdel treats this claim as analytically significant precisely because its implications, if verified, would be severe — but it must be clearly stated: as of publication, this remains ByteToBreach’s unverified assertion. Neither Remita, the NDPC, the CBN, nor any independent cybersecurity firm has confirmed it.
Remita processes the salaries of federal civil servants, the revenues of government ministries, and the tax receipts of the Nigerian state. Even setting aside the unverified HSM claim, the confirmed presence of real Nigerian identity documents in publicly accessible files is serious enough to demand an institutional response — one that has not come.
“If ByteToBreach’s claims about BVNs and NINs are verified, the harm is not temporary — these identifiers cannot be changed. A BVN is not a password. A NIN is not a username. Their compromise would be structural, and it would compound with time.”
— Nexdel Intelligence Analysis
◆
What Nigerian Law Requires — And What Has Not Happened
This is not a matter of editorial opinion. The obligations below are statutory. They are what the law says must happen. They have not happened.
NDPA S.40
Any organisation that becomes aware of a personal data breach likely to affect individuals’ rights and freedoms must notify the Nigeria Data Protection Commission within 72 hours of that awareness. That window has long elapsed. Neither Remita nor Sterling Bank has publicly confirmed filing such a notification, and the NDPC has not confirmed receiving one.
NDPA S.34
Where a breach creates a high risk to individuals — and a breach exposing BVNs, NINs, passport images, and cryptographic government keys unambiguously meets that threshold — the data controller is legally required to notify affected individuals directly and without delay. No such notification has reached any Nigerian citizen from either institution.
NDPA S.48
The NDPC possesses the statutory authority to investigate on its own motion, without waiting for a self-report from the affected organisation. It can compel victim notification, order financial compensation to affected data subjects, and refer matters for criminal prosecution. These are not discretionary courtesies — they are enforcement tools the Commission holds by law. They have not been deployed publicly in this case.
Cybercrimes Act 2024
The amended Cybercrimes Act establishes a mandatory 72-hour incident reporting obligation for operators of critical digital infrastructure — a category that expressly includes licensed deposit money banks and government payment processors. Both Sterling Bank and Remita fall within its scope. Neither has made a public incident report.
CBN Framework 2024
The Central Bank of Nigeria’s Risk-Based Cybersecurity Framework requires financial institutions to report significant cybersecurity incidents directly to the CBN. The CBN has issued a sector-wide directive in the aftermath of these claims — but has drawn no public line between that directive and the specific incidents in question.
◆
Six Questions the Nigerian Government Must Answer
What follows are not rhetorical provocations. They are the questions every affected Nigerian citizen has a legitimate right to demand answers to — on the record, from named institutions, with accountability attached.
?
To the NDPC — Question 01
The statutory 72-hour notification window under Section 40 of the NDPA has expired. Has the Commission received a breach notification from Remita or Sterling Bank? If yes, what formal action has been initiated? If no notification has been received, why has the Commission not exercised its Section 48 powers to investigate on its own motion — particularly given that it lists Remita as a data processor of major importance at the ultra-high level?
The NDPC is not a passive inbox. It is an enforcement body with investigative authority. Choosing not to act when a breach of this profile is publicly documented and partially verified is itself a decision — and that decision requires a public explanation.
?
To Remita — Question 02
Your communication to partners referenced service disruptions and efficiency improvements — not a breach, not ByteToBreach, not a word about data exposure. Millions of civil servants, government contractors, and citizens whose financial and identity data passes through your platform have received no notification. When will you make a full public disclosure about what occurred? And specifically: ByteToBreach claims to have obtained government HSM cryptographic keys. Has that claim been investigated? If the keys were exposed, have they been revoked and replaced?
Remita is not an ordinary private company. It is the operational backbone of Nigeria’s Treasury Single Account — the mandatory channel for all federal government revenues under Section 80(1) of the 1999 Constitution. Euphemism in the face of a potential breach of this magnitude is a policy failure, not merely a public relations one.
?
To Sterling Bank — Question 03
ByteToBreach has alleged that your infrastructure was not merely a target but the launchpad through which Remita was subsequently penetrated. If accurate, your institution’s security failure cascaded into the payment backbone of the Nigerian state. What specific cloud security controls were in place at the time? Who is accountable for their configuration? And what has materially changed since?
Nine hundred thousand customers is not a data point. It is 900,000 people who trusted a licensed financial institution with their most sensitive personal information — and who have received no warning, no guidance, and no acknowledgment that anything has occurred.
?
To the Central Bank of Nigeria — Question 04
Your cybersecurity directive was issued on March 31 — the same day ByteToBreach publicly claimed to have breached Remita. The CBN has drawn no official connection between that directive and these specific claims. Was the directive informed by intelligence about this incident? If yes, why did a sector-wide internal instruction go out while the Nigerian public — the potential victims — received no corresponding warning? If no, what does the CBN’s current assessment say about the systemic risk posed by the ByteToBreach claims to Nigeria’s financial infrastructure?
Central banks routinely manage sensitive information discreetly during live incidents — that is defensible practice. What is not defensible is the complete absence of any public communication to citizens who may be actively exposed to identity theft and financial fraud as a direct consequence of events the regulator was apparently aware of.
?
To the Federal Government — Question 05
Remita processes the financial transactions of every Ministry, Department, and Agency of the Nigerian federal government. ByteToBreach claims to have obtained government cryptographic keys — a claim that, if verified, would have implications for the integrity of future transactions processed through Remita, not just past data. Has the Office of the National Security Adviser been briefed on these claims? Has a national cybersecurity incident response protocol been activated to investigate them? If the answer to either question is no — what is the threshold that would trigger one?
HSM keys are not ordinary data. Their compromise is not a breach of privacy — it is a potential breach of the cryptographic infrastructure through which Nigeria’s public finances move. That demands a state-level response proportionate to its implications, not corporate language about restored operational efficiency.
?
To the NDPC — Question 06
The Commission has demonstrated willingness to pursue large foreign organisations with enforcement actions running into hundreds of millions of naira and dollars. It has been publicly silent in the face of a potential breach of a government-linked domestic platform serving tens of millions of Nigerians. Is enforcement appetite at the NDPC inversely proportional to the political cost of the target? And if the answer is no — what explains the asymmetry?
Selective enforcement — visible and aggressive against foreign multinationals, quiet and deferential toward domestic government-adjacent infrastructure — is not neutral regulation. It is a political act. Nigeria’s citizens are entitled to a regulator whose courage is not conditional on the identity of the offender.
◆
What You Should Do Right Now
Do not wait for an official notification that may never come. The law entitles you to one — but institutional behaviour in this case suggests you should act independently, today.
If you receive a salary through Remita or have transacted with any federal agency
Monitor all financial accounts immediately for unexplained activity
Your salary payment records, identity documents, and transaction history may be part of the compromised dataset. Watch specifically for unauthorised loan applications in your name, unexpected account debits, and any attempt to transfer your phone number to a new SIM card — a common precursor to OTP-based bank fraud.
If you are a Sterling Bank account holder
Change every password associated with your financial accounts today and activate two-factor authentication everywhere you can
Over 35,000 password hashes from this breach have been published freely. If you have reused the same password across banking applications, email, or social media, your exposure extends well beyond Sterling Bank itself. Do not wait for the bank to advise you — act now on your own behalf.
For every Nigerian whose NIN or BVN exists in any digital system
Treat any communication referencing your personal details as potentially fraudulent until independently verified
An attacker with your real name, photograph, BVN, and home address can construct a highly convincing impersonation. A phone call that correctly states your BVN is not evidence it comes from your bank. Verify everything through official channels independently before providing any information or authorising any transaction.
To assert your legal rights under the NDPA 2023
File a formal complaint with the NDPC at ndpc.gov.ng
Section 48 of the NDPA gives the NDPC authority to order data controllers to pay compensation directly to affected individuals. That right exists in law. Filing formally puts your case on the record — regardless of whether the Commission chooses to act.
◆
The Deeper Problem This Incident Exposes
It would be a misreading of this story to place ByteToBreach at its centre. The actor’s claims — many still unverified — are the occasion for this analysis, not its subject. The subject is the systemic architecture of accountability that this incident, verified or not, has made visible.
Nigeria spent years constructing a data protection framework. The NDPA 2023 is genuinely sophisticated legislation, modelled in part on the European GDPR and representing a meaningful advancement over the regulatory vacuum that preceded it. The NDPC was established with real enforcement powers and has demonstrated, in select cases, that it knows how to use them. Here is what is not in dispute: real Nigerian identity documents are publicly accessible online right now. The 72-hour legal notification window has expired. The NDPC has not spoken. That much requires no verification — it is observable fact.
Whether the full 3TB dataset exists as ByteToBreach claims, whether BVNs and NINs are in it, whether HSM keys were truly taken — those questions remain open. But the appropriate institutional response to even a credible, partially corroborated claim of this scale is urgent, public, and transparent. What Nigeria has received instead is corporate language about restored services and regulatory silence. That silence is not a claim. It is a documented, verifiable fact.
“Nigeria built a data protection law. It built a regulatory commission. It established enforcement powers that, on paper, rival comparable institutions in more mature regulatory environments. What it has not yet demonstrated — in this moment, against this incident — is the institutional will to use them when the cost is real.”
— Nexdel Intelligence Analysis
The version of events that Nigerians deserve is one where the NDPC opens a formal, public investigation; where Remita and Sterling Bank are compelled to notify affected individuals directly and in plain language; where the HSM key exposure is addressed transparently; and where the compensation mechanisms in the NDPA are made available to the people who need them. That version is still possible. It requires decisions that have not yet been made.
The version that requires no decisions — no courage, no political cost, no institutional accountability — is the one where this story fades, systems are confirmed restored, and millions of Nigerians discover months from now, through a fraudulent loan or a drained account, that something happened to their data and nobody thought to tell them.
You gave your BVN because the system required it. You submitted your passport because a bank demanded it. You made yourself legible to the state because legibility is the price of participation. The question Nigeria must now face is a simple one: when that trust is broken, who answers for it — and to whom?
Strategic Assessment
This incident is not primarily about ByteToBreach. It is about what Nigeria does with a working data protection law when using it becomes politically inconvenient. The NDPA 2023 gives the NDPC the tools: own-motion investigations, compelled victim notification, financial compensation orders, criminal referrals. The question before April 3, 2026 is whether those tools exist to be used — or to be pointed at.
The asymmetry between enforcement against foreign multinationals and silence toward government-adjacent domestic infrastructure is the central accountability test Nigeria’s data protection regime now faces. A regulator whose courage is conditional on the political cost of its target is not a regulator — it is a selective compliance mechanism. That is not the institution the NDPA was designed to create.
Even setting aside all unverified claims: real identity documents of real Nigerians are publicly accessible online. The 72-hour window has expired. No notification has reached affected citizens. That is the irreducible, verifiable core of this incident — and it is sufficient, on its own, to compel a formal public response. The decisions that produce that response have not yet been made. They still can be.
Expert insights to share? Nexdel Intelligence welcomes contributor submissions across climate, ESG, AI, Africa, and emerging markets.
Contribute ↗ 
