Sterling Bank, Remita, and CAC are currently facing scrutiny over alleged cybersecurity failures amid data breach scandal.
NewsOnline Nigeria reports that a major cybersecurity controversy has emerged involving Sterling Bank, Remita, and the Corporate Affairs Commission (CAC), following claims that a threat actor gained unauthorised access to sensitive systems and data across the institutions.
The alleged breach, linked to a hacker identified as “ByteToBreach,” has raised serious concerns about data protection practices, regulatory compliance, and institutional transparency in Nigeria’s financial and public sectors.
According to reports by Technext24, the attacker gained access to systems through vulnerabilities that had reportedly remained unaddressed for months. The breach is said to have extended beyond one institution, with compromised credentials from one platform allegedly providing access to another, highlighting risks associated with poor data security practices.
Particularly concerning are claims involving the CAC, Nigeria’s central corporate registry, where sensitive records including company ownership details and identity documents are stored. Analysts say any compromise of such infrastructure could have far-reaching implications for corporate governance, financial due diligence, and legal processes.
ALSO: Nigerian Startups Selected for 10th Google for Startups Accelerator Africa Cohort
Despite the scale of the incident described in independent analyses, responses from affected institutions have been limited. The CAC acknowledged an issue, describing it as “unauthorised access to limited aspects” of its system, while also confirming collaboration with the National Information Technology Development Agency to address the situation.
However, the reported scope of access and data exposure has sparked debate over whether official disclosures fully reflect the severity of the incident.
The situation also raises questions under the Nigeria Data Protection Act 2023, which mandates organisations to notify regulators and affected individuals within a specified timeframe in the event of a data breach posing risks to individuals.
Regulatory authorities, including the Nigeria Data Protection Commission, have reportedly initiated investigations into aspects of the incident, particularly regarding compliance with notification and data security obligations.
Cybersecurity experts note that the episode highlights broader systemic issues, including delayed vulnerability patching, weak credential management, and insufficient access controls across critical systems.
Beyond the technical dimensions, the controversy has intensified calls for greater accountability and transparency from institutions entrusted with sensitive personal and financial data.
As investigations continue, the incident is expected to shape ongoing discussions around cybersecurity standards, regulatory enforcement, and the need for stronger data protection frameworks in Nigeria’s rapidly evolving digital economy.
