Nigeria’s data regulator, the Nigeria Data Protection Commission (NDPC), has raised alarm over what it described as coordinated cyber threats targeting the country’s financial systems and critical digital infrastructure, urging organisations to urgently reinforce their data security frameworks.
In an advisory signed by its Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, the commission called for immediate action from organisations handling personal data.
The commission said its technical assessment uncovered activities by shadowy threat actors carrying out coordinated operations against key national systems.
The NDPC warned that institutions powering banking services, payment platforms, telecommunications, cloud infrastructure, and public-sector digital services are increasingly vulnerable, heightening the risk of data breaches and service disruptions.
“The commission strongly advises that data controllers and processors (including MDAs) urgently step up their technical and organisational measures to ensure the privacy of all Nigerians and other data subjects in line with the Nigeria Data Protection Act, 2023 (NDP Act),” the statement read.
The NDPC outlined several steps organisations must take to reduce exposure to cyber risks. These include appointing trained and certified Data Protection Officers, implementing comprehensive privacy policies, and conducting Data Privacy Impact Assessments.
It also stressed the need for stronger technical safeguards such as multi-factor authentication, zero-trust security architecture, and network segmentation.
“Organisations are expected to deploy robust identity and access controls, adopt zero-trust architecture, and ensure continuous patch management to address system vulnerabilities,” the commission stated.
Beyond internal systems, the regulator highlighted the importance of securing cloud infrastructure, application programming interfaces, databases, and access credentials.
The commission further advised organisations to implement real-time monitoring, logging, and threat detection systems, as well as encryption and secure credential management.
“Entities should conduct vulnerability assessments and penetration testing on critical systems and maintain regular backup, recovery, and resilience testing,” it added.
The advisory comes amid heightened regulatory scrutiny following an ongoing investigation into an alleged data breach involving Remita Payment Services Ltd and Sterling Bank, among others.
According to the NDPC, the probe is focused on determining the nature and scope of the breach, the categories of personal data involved, the risks posed to data subjects, and the adequacy of mitigation measures taken.
The commission reiterated its commitment to ensuring that organisations comply with the Nigeria Data Protection Act 2023, just as it warned that failure to implement appropriate safeguards could expose millions of Nigerians to privacy violations and cyber risks.
