Data breach

NDPC investigates Remita, Sterling Bank for alleged data breach

The NDPC confirmed that the relevant parties and individuals have been providing information for the purpose of addressing the incident.

by · Premium Times

The Nigeria Data Protection Commission (NDPC) has announced that it is carrying out an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities.

The investigation notice was disclosed on Sunday in a statement signed by the NDPC Head, Legal, Enforcement and Regulations, Babatunde Bamigboye, noting that the efforts are in line with the commission’s procedure, after receiving the ‘Notice of Investigation’ on 1 April.

The NDPC confirmed that the relevant parties and individuals have been providing information for the purpose of addressing the incident.

Cybercrime tracking platform, Dark Web Informer, announced in an X post on 31 March that there was “a massive breach allegedly from Remita, a major Nigerian payment processing platform, that has been leaked on a popular cybercrime forum.”

According to the report, a total of “3TB of S3 storage, 800GB+ of KYC documents (IDs, passports, photos, bank statements, electricity bills), MySQL/Postgres databases, logs, docker registries, source codes, government HSM keys, GitKraken to S3 backups and sources codes, 35,000+ password hashes, and three databases”, were breached on the Remita platform.

PREMIUM TIMES reached out to Remita through email and on social media platforn X for clarity on the alleged data breach, but the payment platform did not respond.

Additionally, there were reports of a separate alleged data breach involving Sterling Bank around the same time period.

NDPC probes

In its statement on Sunday, the NDPC said that it is probing the alleged data breaches to ensure that data subjects are protected and to find the mitigating measures to counter the data breaches.

“The investigation aims to ensure that data subjects are protected with appropriate technical and organisational measures.

“The investigation by NDPC covers, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects and the mitigation measures carried out where a breach is confirmed,” the statement read.

Data breach being investigated by NDPC, communications minister assures“I have engaged my colleague, the Minister of Interior, who supervises the National Identity Management Commission (NIMC) and I am aware that his ministry and the agency are on top of the matter,” Mr Tijani said.Folashade Ogunrinde, 26 Jun 2024

The commission further clarified that companies that use digital payment systems without appropriate technical and organisational measures will also be examined as part of a wider effort to ensure the integrity of the ecosystem.

“The Commission’s National Commissioner/CEO, Dr Vincent Olatunji, has directed that organisations that employ digital payment systems without putting in place appropriate technical and organisational measures as mandated under the Nigeria Data Protection Act, 2023 (NDP Act), will also be examined as part of a wider effort to ensure the integrity of the ecosystem,” the statement read.