It is one thing to transact on a government-recognised payment processing platform where you confidently upload your data for official use,  it is another thing when thousands of users realise that all their sensitive information is now available to a third party they never dealt with.

According to reports, this allegedly seemed to be the case at Remita, a platform operated by Remita Payment Services Limited.

The financial services platform, originally developed by SystemSpecs, has served as the gateway for the Treasury Single Account of the Nigerian government for several years. It has helped in harmonising revenue collection across all levels of government.

However, concerns began to mount when news broke in March that a notorious hacker, ByteToBreach, claimed to have breached Remita’s platform, allegedly accessing three terabytes of data stored online, including 800 gigabytes of Know Your Customer documents.

Although the claim has not been independently verified, Hackmanac, which tracks verified real-world cyberattacks, posted the alleged breach report on X (formerly Twitter) on March 31, 2026.

According to the post, the actor claimed access to databases, logs, and source code, as well as the release of part of the data, including over 35,000 coded password versions.

Remita did not respond to multiple requests for comment and has not issued any official statement regarding the alleged data breach. An email sent to the address listed on its website only received an automated reply without an actual response to the inquiry. The phone number provided could also not be reached.

Several individuals and agencies are at risk

According to reports, the underground hacker, ByteToBreach, is likely to be in possession of sensitive information belonging to multiple individuals, agencies, and civil servants, including details about their contacts, addresses, and biodata. This is largely due to the fact that millions of Nigerians use Remita for various payment processes.

This means candidates paying fees, such as those for the Joint Admissions and Matriculation Board, and students paying tuition on the platform could all be at risk of compromised data. Information on universities and government accounts may also be unsafe. State workers under the Remita-related Integrated Payroll and Personnel Information System are also not left out.

The Nigeria-based Foundation for Investigative Journalism reported in early April that one of the exposed files contained references and Structured Query Language (SQL) codes, which are commands used to store, find, change, and delete information in a database. The data structures, it added, are consistent with a Remita-related database environment. Specifically, among the data allegedly accessed were photos, bank statements, and electricity bills.

Others included bank verification numbers, pension deductions, tax records, contractor invoices, supplier bank account details, passport payment records, and other sensitive financial data belonging to both individuals and government institutions.

In terms of names, FIJ said it spotted original records belonging to at least three identified Nigerians among hundreds of others.

This information, if misused, could negatively impact the lives and careers of the individuals concerned.

Remita begins API key resets.

After reports surfaced about the alleged data breach, Remita reportedly asked its partners to urgently regenerate their Application Programming Interface (API) credentials and whitelist their IP addresses.

This means partners were reportedly asked to reset their access codes and allow only approved devices to connect for security reasons.

“To achieve full synchronisation of services at your end, you are required to regenerate your API credentials,” Remita said in an email a day after the incident, according to Peoples Gazette.

According to the publication, Remita made no mention of a security breach and only cited “some hitches” in its statement – language believed to have been used to douse tension.

“We are aware that there have been some hitches in the interface between our environment and yours between yesterday and today,” Remita was quoted as saying in the email.

The report stated that the platform attributed the disruption to “ongoing efforts aimed at improving overall operational efficiency and service delivery,” promising full restoration of services by 3:00 p.m. on March 31.

NDPC launches probe

While the development continued to generate controversy, Nigeria’s data protection watchdog, the Nigeria Data Protection Commission, launched a probe into the incident.

In a statement seen on its official X handle titled “NDPC Investigates Remita and Sterling Bank for Alleged Data Breach,” the commission said it was carrying out an investigation into the alleged data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities.

The statement, issued on April 5, was signed by the Head of Legal, Enforcement & Regulations, Babatunde Bamigboye.

“Relevant parties and individuals have been providing information for the purpose of addressing the incident. The aim of the investigation is to ensure that data subjects are protected with appropriate technical and organisational measures.

“The investigation by NDPC covers, among others, the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects, and the mitigation measures carried out where a breach is confirmed,” Bamigboye said.

He added that the Commission’s National Commissioner/CEO, Dr Vincent Olatunji, also directed that organisations that employ digital payment systems without putting in place appropriate technical and organisational measures, as mandated under the Nigeria Data Protection Act 2023, would be examined.

He said this was part of a wider effort to ensure the integrity of the ecosystem.

While the reported victim of the hack is Remita, the NDPC included Sterling Bank in its investigations. This may be due to information said to have been released by the hacker, which stated that the bank’s servers were allegedly “helpful in conducting the attacks on Remita.”

It is, however, not certain whether mentioning the bank was a diversionary tactic by the notorious ByteToBreach. The NDPC is expected to get to the root of the alleged breach, but it has not provided an update as of the filing of this report.

Remita’s success story

For more than a decade, Remita has been the main platform for processing salaries, allowances, and other transactions on behalf of federal and state government agencies across Nigeria.

While it is one of the most successful government digital projects, inadequate protection technology could hamper its reliability.

A member of the Institute of Software Practitioners of Nigeria (ISPON), Musa Oladipupo, in an opinion published by ThisDay, highlighted that before 2015, the Federal Government of Nigeria operated over 17,000 disparate bank accounts without central coordination.

According to the expert, the government could not ascertain its true cash position at any moment.

However, upon full implementation in 2015, Remita’s platform facilitated the recovery of over N3 trillion from commercial banks.

He therefore described Remita as a proven platform that has transformed public financial management at scale.

“Remita represents something larger than a successful technology deployment. It demonstrates that well-designed digital infrastructure can reshape public institutions,” Oladipupo said.

Meanwhile, the alleged data breach at Remita, barely a month after the publication, points to a different scenario.

Cyber threats and regulatory oversight

If the breach is genuine, experts believe the situation likely reflects a porous cyberspace that appears to be more of an institutional problem than one peculiar to Remita alone.

In an interview with Open African Tribune, a cybersecurity expert in England, United Kingdom, Abdulazeez Abdulkadir, said the alleged Remita breach is a reminder that Nigeria’s fintech ecosystem is only as strong as the discipline behind it.

“When attackers can access HSM keys, source code, and full databases, that is not a small incident. It exposes gaps in security architecture, organisational culture, and national coordination,” he said.

The expert recommended measures to shield platforms like Remita from data breaches.

“Critical assets and data must be properly segmented, penetration testing should be conducted by independent teams, and audit logs must be secured in a way that prevents tampering.

“Identity data also needs stronger protection. Nigerians cannot change their NIN or biometrics, so once exposed, the risk is permanent. Encryption, tokenisation, and strict data minimisation should be standard across the sector,” Abdulkadir told this medium.

According to him, the communication around the alleged breach revealed another issue, as calling a multi-terabyte leak mere “hitches” only deepened uncertainty.

Suggesting a holistic approach, he said Nigeria needs clear breach-notification laws, and regulators must be empowered to investigate incidents independently and identify root causes.

“Credential security should never be an emergency response. API keys, MFA, IP controls, and regular access reviews should be part of security operations.

“At the end of the day, resilience is not a tool you deploy; it is a culture you build. Until security becomes a continuous responsibility, incidents like this will not be the last,” he told Open African Tribune.

For Prof. Yakub Aliyu, a technology researcher based in the United States, inadequate institutional support is one of the challenges confronting Remita.

According to him, despite global recognition, Remita and its developers have not always received the institutional support and strategic partnerships they deserve.

This suggests that if supportive measures are provided, the payment platform might be better able to shield itself against cyberattacks that can compromise its data.

“Yet, success stories like Remita remain rare. Nigeria urgently needs policies that prioritise indigenous digital infrastructure,” he stated in an article published by The Guardian Nigeria in 2025.

What the law says

Nigeria has a legal framework for data protection, with provisions for cases of breach.

Under Section 40 of the Nigeria Data Protection Act 2023, once a data breach is detected, the affected organisation must notify the NDPC within 72 hours of becoming aware of the incident.

Under the provisions, the notification must include the nature of the breach, including, where possible, the categories and approximate number of affected individuals and data records.

Data processors are also required to respond to follow-up requests from concerned authorities to support compliance efforts.

In cases where the breach poses a high risk, data controllers are expected to inform affected individuals. Such communication is also expected to provide guidance on steps individuals can take to reduce potential harm.

According to the Act, where direct communication is not feasible, the organisation may instead use public channels to ensure affected persons are informed.

Since the alleged data breach at Remita has not been officially acknowledged by the platform, this medium cannot independently verify whether the steps outlined by the NDPA are being followed.

However, the statement issued by the NDPC about probing the alleged data breach signals that relevant authorities have waded into the incident.

Are financial institutions taking steps?

According to information seen by Open African Tribune on Remita’s website, banks engaging in services with Remita include Providus, Access, Zenith, SunTrust, Skye, Sterling, FCMB, Heritage, Fidelity, Jaiz, Unity, Keystone, and Coronation.

A threat to Remita is a threat to these financial institutions and their numerous customers, employees, and contractors’ databases.

It is not certain what specific steps are being taken b/y individual companies, especially financial institutions, to combat cyberattacks. Much of such information is not in the public domain, as it may also be deemed classified.

However, on March 31, the day the Remita breach was reported, the Central Bank of Nigeria directed banks to complete a mandatory cybersecurity self-assessment within three weeks, as part of efforts to strengthen resilience across the financial system.

It is not confirmed if the development is related to the alleged hacking of the Remita platform.

 However, according to a PUNCH report, the apex bank said, “Institutions are required to submit their completed CSAT within the following timelines: i. Three (3) weeks – Deposit Money Banks (DMBs); ii. Five (5) weeks – all other regulated institutions.”

The directive, addressed to banks and other financial institutions and payment service providers, introduced a Cybersecurity Self-Assessment Tool to evaluate cyber risk exposure.

The CBN stated that the move was in line with its statutory mandate under the Banks and Other Financial Institutions Act 2020 and its broader commitment to improving cybersecurity standards in the sector.

The regulator noted that CSAT is designed as a supervisory instrument to provide a comprehensive view of financial institutions’ cybersecurity posture.

It explained that the tool would assess critical areas, including governance structures, risk management frameworks, technology systems, third-party risk exposure, incident response capacity, and overall operational resilience.

A breach of Remita data, no doubt, could put many citizens, whose information may have been accessed, at risk. This is aside from the potential of the breach to compromise national security.