top of page
Search

Nigeria's Cybersecurity Reckoning: The Breach Wave and the Council Racing to Catch Up



Nigeria's digital economy is under sustained assault, and the country's defenses are being tested in public. In a matter of weeks this year, attackers struck the national corporate registry, a tier-one bank, the government's payment backbone, and the nation's top financial crimes agency. The federal government has answered with a new coordination council and tighter rules. The real question is whether that response can move fast enough to matter.

The bottom line is simple. Nigeria now faces a structural cybersecurity problem, not a run of bad luck. The breaches reached the foundations of the formal economy. The policy response is sound in design but slow in delivery. Closing that gap is now a national security priority.


A breach wave that reached the foundations

The 2026 wave was not random. Threat actors moved from individual banks to the platforms and registries that the entire economy depends on.

  • Corporate Affairs Commission (CAC). On April 15, the CAC confirmed unauthorized access to limited parts of its systems and shut down its registration portal. The group known as ByteToBreach claimed it took roughly 25 million files, about 750 gigabytes, and leaked more than 15 million documents. One screenshot was labeled "GOV_BETRAYAL."

  • Sterling Bank. In late March, ByteToBreach claimed access to about 900,000 customer accounts and 3,000 staff records, including Bank Verification Numbers, National Identity Numbers, and passports.

  • Remita. The same actor claimed a breach tied to a misconfigured cloud storage bucket, reportedly exposing about three terabytes of data on the platform that processes government salaries, taxes, and payments. The actor demanded 250,000 euros.

  • Economic and Financial Crimes Commission (EFCC). Around April 21, an actor linked to Nullsec Nigeria claimed a leak of agent names, phone numbers, operational code names, and password hashes.

  • Fast Credit. Around April 25, an actor known as iProfessor offered roughly 870 gigabytes and close to 940,000 records for sale, including identity documents, loan records, and bank statements. That claim remains unverified.

The most uncomfortable detail came on June 4, when the advisory firm Digital Encode warned that most recent incidents stem from preventable weaknesses in basic configuration, credential management, and operational controls, not sophisticated zero-day exploits. In plain terms, the doors were left open.


The damage is strategic, not just technical

A breach of a single bank is costly. A breach of the national corporate registry is something else. The CAC is the master key to Nigeria's formal economy. Banks check it for due diligence. Courts rely on it to establish legal ownership. The EFCC uses it to trace fraud. The country's beneficial ownership reforms and its anti-money laundering progress rest on the integrity of that register.

A breach of the national corporate registry is not a data incident. It is a strike against the integrity of the formal economy.

Exposure of that data hands criminals a blueprint. They can build more convincing shell companies, steal directors' identities, blackmail executives, and divert funds through fraudulent invoices. Foreign intelligence services could map ownership across oil, gas, and telecommunications. This is where a data breach becomes a sovereignty problem.


The cost is measurable. Deloitte's Nigeria Cyber Security Outlook 2026 estimates the country lost more than 3 billion dollars to cybercrime between 2019 and 2025, about 500 million dollars a year. The United Nations Office on Drugs and Crime put losses at 1.1 trillion naira, roughly 805 million dollars, between 2017 and 2023. The fintech firm Prembly reported that AI-driven attacks on the financial sector rose 150 percent last year. The Nigeria Data Protection Commission says the country now records a cyberattack roughly every 39 seconds.


The government's response, and its limits

The federal government has not been idle. The response is taking shape on several fronts.

  • A new council. The Minister of Communications, Innovation and Digital Economy, Dr. Bosun Tijani, has launched the Nigerian Ministerial Advisory Council for Cybersecurity Coordination, known as NG-MACC. It is a non-statutory, multi-stakeholder platform for threat intelligence sharing and collective defense. A technical secretariat sits within NITDA, supported by the Nigerian Communications Commission, Galaxy Backbone, and the Nigeria Data Protection Commission.

  • A defined timeline. After a second stakeholder session in Lagos, the ministry set a 90-day roadmap running from June to September 2026 to nominate, confirm, and inaugurate council members and to produce a first work plan.

  • Tighter financial-sector rules. On March 30, the Central Bank of Nigeria introduced a Cybersecurity Self-Assessment Tool that requires financial institutions to evaluate their readiness, and it formally recognized AI as a tool against financial crime.

  • An end to silence. NITDA is pushing organizations to disclose breaches or at least share intelligence. The implementing directive under the Nigeria Data Protection Act, in force since September 2025, requires breach notification within 72 hours.


The design is sound. The pace is the problem. A council that inaugurates members in September cannot defend the systems that fell in April. NITDA's director general has said human error causes about 95 percent of breaches, and AI now makes those breaches harder to detect and more damaging. That points to a defense built on fundamentals and speed, not committees alone.


What Nigeria must do now

In my opinion, Nigeria does not have a strategy problem. It has an execution problem. The fixes are well understood. The will to deliver them at speed is what remains in doubt.

  1. Fix the fundamentals first. The breaches exploited weak configurations, poor credential hygiene, and unpatched systems. Multi-factor authentication, encryption, disciplined patching, and tight access control would have blunted most of them.

  2. Make disclosure real. Mandatory 72-hour notification only works with enforcement and with protection for those who report. Intelligence sharing must become routine, not optional.

  3. Treat critical registries as critical infrastructure. The CAC, the national identity system, the payment rails, and electoral systems deserve the highest tier of protection and independent assurance.

  4. Build local capacity. Nigeria cannot outsource its sovereignty. It needs in-house teams, certified professionals, and a talent pipeline that keeps skilled people at home.

A council is only as strong as the speed at which it can act. Coordination at committee pace cannot defend against threats that move at machine speed.

There is a clock on this. Nigeria heads into the 2027 general elections with electoral technology, from the IReV results portal to the BVAS units, now squarely in the threat picture. A national registry fell this year. The integrity of the vote cannot be allowed to follow.


Conclusion

Nigeria's breach wave is a warning, not a verdict. The country still has time to convert a reactive scramble into a durable defense. That requires execution at the speed of the threat, not the speed of bureaucracy.

At OGUN Security Research and Strategic Consulting, we help institutions assess their true exposure, harden the systems that matter most, and build the governance to defend them. If your organization holds data that matters, treat this moment as the warning it is. Contact OSRS to begin a risk assessment.


Intelligence. Protection. Strategy. www.ogunsecurity.com


Follow OSRS on Google News, Twitter, and LinkedIn for ongoing analysis. Subscribe at www.ogunsecurity.com for briefings on cybersecurity, national security, and the governance of emerging threats.

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page