← Back to all articles Business Security

Your Customers' Data May Already Be for Sale: What the Sterling Bank, Remita, and CAC Breaches Mean for Your Business

A
ARX AMANI
April 19, 2026
9 min read
7 views

Your Customers' Data May Already Be for Sale: What the Sterling Bank, Remita, and CAC Breaches Mean for Your Business

In March and April 2026, a single threat actor compromised three of Nigeria's most significant digital institutions in rapid succession. Sterling Bank. Remita — the platform through which the federal government processes salary payments and collects revenue from over a thousand agencies. And the Corporate Affairs Commission — the registry holding the legal identity of every formally registered business in Nigeria.

He did not use sophisticated tools that only a nation-state would have access to. He found open doors, walked through them, and took what was inside. Then he listed it for sale on a cybercrime forum.

This is not a story about a clever hacker. It is a story about what happens when organisations treat security as something to fix later — and later never comes. If your business is online and you collect customer data in any form, this is your warning.

What Actually Happened — In Plain Terms

Sterling Bank — March 18, 2026

A test server — used by developers to trial new features before going live — was left exposed to the public internet. It was running a known vulnerability that had an available patch for months. An attacker connected to it and, once inside, found live production credentials stored in plain text inside a code file. No encryption. No vault. Just readable text.

He used those credentials to access Remita's systems directly. Sterling Bank received a regulatory notice from the Nigeria Data Protection Commission on April 1. According to published reports, the bank entered into ransom negotiations of up to €250,000. It told its customers nothing.

Remita — April 1, 2026

Remita was not the primary target. It was collateral damage. The attacker used the credentials found on Sterling Bank's server to pivot directly into Remita's environment — Nigeria's primary government payment infrastructure, through which the Treasury Single Account, civil service salaries, and revenue collections from over 1,000 MDAs flow. Approximately 3TB of data was claimed and published.

Remita's own security controls were not the point of failure. The failure was the trust relationship between institutions — and Sterling Bank's decision to store Remita's access credentials in an insecure location.

Corporate Affairs Commission — April 2026

A subdomain of the CAC's system was publicly accessible on the internet with no authentication at all. No password. No login check. No verification.

Behind that open door sat the passports, national identity numbers, court affidavits, company resolutions, director records, and shareholder information of millions of Nigerians who had registered businesses and trusted a government agency with their most sensitive documents. 25 million documents in total. The NDPC opened an investigation on April 17, 2026.

The Silence Made It Worse

Before publishing any data, the attacker contacted all three organisations to inform them of what he had found. The CAC did not respond. Remita did not respond. Their data was published.

Sterling Bank responded — and reportedly spent weeks in ransom negotiations while hundreds of thousands of customers remained completely unaware that this conversation was happening on their behalf.

None of the three institutions sent notifications to affected customers. The Nigeria Data Protection Act 2023 does not make this silence optional. It requires notification within 72 hours of becoming aware of a breach. The institutional response to this crisis — or the absence of one — is as troubling as the breach itself.

The Dark Web Is Not Abstract — It Is a Functioning Market

After each breach, the data was published on cybercrime forums. It is now circulating in a marketplace that operates with the same structure as a legitimate e-commerce platform: vendor listings, tiered pricing, buyer reviews, and escrow systems.

The goods for sale include:

  • BVNs and full KYC packages
  • Bank account details and transaction histories
  • National identity numbers and passport copies
  • Company registration documents and director records
  • Email addresses and password combinations

Nigeria ranks third in Sub-Saharan Africa for total data breaches since 2004, with over 23 million compromised accounts on record. Around 60% of dark web activity involves trading stolen credentials and breached data.

This market does not distinguish between data stolen from a major bank and data stolen from a four-person fintech startup. Both have a price. The question is only how difficult you have made it to take what you hold.

What This Means for Your Business

You do not need to be a bank or a government registry to be at risk. Smaller businesses are often easier targets precisely because they carry the assumption that they are too small to be worth attacking.

If your business collects customer names, phone numbers, email addresses, payment details, or identity documents — through a website form, a payment integration, a WhatsApp Business account, or a customer database — you are holding data that has value to people who will use it to harm the customers who trusted you with it.

The tell-tale signs your business is exposed right now:

  • You have never had a security assessment done on your website, application, or customer database
  • Passwords and access credentials are shared among team members or stored in WhatsApp chats and email threads
  • Two-factor authentication is not enabled on your email, payment systems, or admin accounts
  • You do not know which third-party tools and integrations currently have access to your customer data
  • Your software — website plugins, operating systems, payment SDKs — has not been updated in months
  • You have no documented plan for what to do if a breach occurs: who to call, what to do, who to notify
  • Security is something you plan to address "once the business grows"

If two or more of those apply to your business, your exposure is real and current — not theoretical.

The Three Failures Behind These Breaches (And Why They Are Common)

Security professionals will recognise all three entry points in the Nigeria breach chain as textbook failures that appear on every major security framework's list of critical risks.

1. An unpatched, internet-facing system

Sterling Bank's test server was running a known vulnerability with a documented fix. The patch existed. No one applied it. This is one of the most common causes of breaches globally — not because organisations do not know about patches, but because patching is treated as a low-priority maintenance task rather than an urgent security control.

What to do: Every internet-facing system your business operates — your website, your payment portal, your admin panel, your APIs — must be updated promptly when security patches are released. Critical patches should be applied within 72 hours.

2. Credentials stored where they should not be

The pivot from Sterling Bank to Remita happened because a developer stored live passwords in a code file on a test server. This practice — keeping secrets in code for convenience — is extraordinarily common, especially in teams that move fast. It is also one of the most dangerous security mistakes a development team can make.

What to do: Passwords, API keys, database credentials, and any other secrets must never be stored in code, configuration files, or repositories. They belong in dedicated secrets management tools. If you discover credentials stored in code, rotate them immediately.

3. A system open to the public with no access control

The CAC breach required no hacking skills at all. A subdomain was publicly accessible. The entire attack was walking through a door that should have been locked.

What to do: Every endpoint, admin panel, database interface, or internal tool that your business operates must require authentication before serving any data. Review what is exposed to the internet. If it should not be public, restrict it.

Your NDPA 2023 Obligations

Under the Nigeria Data Protection Act 2023, any organisation that suffers a confirmed data breach must:

  1. Notify the NDPC within 72 hours of becoming aware of the breach
  2. Notify affected data subjects where the breach is likely to result in high risk to their rights
  3. Document the breach including its nature, categories of data affected, and remediation steps taken
  4. Implement appropriate technical and organisational measures to protect personal data from the outset

The NDPC has explicitly stated it will examine all organisations operating digital systems without adequate data protection measures. Organisations that cannot demonstrate compliance face investigation, sanctions, and reputational consequences.

What to Do Starting This Week

Security does not have to be overwhelming. Start with these actions — most of them cost nothing but time:

  1. Enable two-factor authentication on your email, social media accounts, payment platforms, and any system that holds customer data. Do this today.

  2. Audit what is internet-facing. List every website, form, admin panel, or system your business operates that is accessible from the internet. Verify each one requires a login before serving data.

  3. Check your software updates. Your website CMS, plugins, payment integrations, and operating systems should all be current. Identify anything that has not been updated in more than 30 days.

  4. Review who has access to what. Former employees, freelancers, and third-party contractors should not retain access to your systems after their engagement ends. Revoke access you did not explicitly grant.

  5. Write a one-page incident response plan. It does not need to be complex. It needs to answer: Who do I call? What do I do first? Who do I notify if customer data is involved?

  6. Get a professional assessment. If you do not know your current exposure, a vulnerability assessment will tell you — before an attacker does.

Conclusion

The organisations at the centre of Nigeria's breach season were not defeated by attackers who were smarter than their security teams. They were defeated by basic controls that were missing, deferred, or ignored — and by a culture that treated security as someone else's problem.

Every customer who submits their details through your website, your app, or your form is extending you a form of trust. They are telling you: I believe you will handle this responsibly. That trust is not given conditionally. It is given in full, and it deserves to be honoured in full.

Security built in from the start costs a fraction of what a breach costs. Not just in money — but in time, in reputation, and in the relationship you have worked to build with every customer you serve.

The data is already being sold. The question is whether yours is in the market.

ARX AMANI Technologies provides managed cybersecurity services for Nigerian businesses. We help organisations identify their exposure, implement the right controls, and stay compliant with the Nigeria Data Protection Act — without requiring a full in-house security team.

Tags: data-breach, nigeria, sterling-bank, remita, cac, cybersecurity, NDPA, business-security, SME

Category: Cybersecurity

Meta description: Sterling Bank, Remita, and the CAC were all breached in 2026 through preventable failures. Here is what every Nigerian business needs to understand — and do — before they are next.

Read time: 8 min.

security business hacking cybersecurity

Related Articles

🔐

Building Your IT Security Budget: A Guide for Nigerian SMEs

Jan 31, 2026 • 5 min