The Nigeria Data Protection Commission (NDPC) has launched an investigation into an alleged data breach involving Remita Payment Services Ltd and Sterling Bank, with proceedings formally initiated on April 1, 2026, as part of efforts to safeguard personal data and uphold compliance with Nigeria’s data protection laws.

In a press statement dated April 5, 2026, the Commission disclosed that the probe extends beyond the two named institutions to include other entities potentially connected to the incident.

According to the NDPC, notices of investigation have already been issued, and relevant stakeholders are currently submitting information to aid the process.

The regulator said the investigation is focused on determining the categories of personal data involved, assessing the scale and nature of the suspected breach, and evaluating potential risks posed to affected individuals. It also aims to establish whether adequate mitigation steps were taken in instances where a breach is confirmed.

Beyond the immediate case, the NDPC signaled a broader regulatory sweep. The Commission’s National Commissioner and CEO, Vincent Olatunji, has directed that organizations operating digital payment systems without sufficient data protection structures will come under scrutiny. This move, the Commission noted, aligns with enforcement provisions under the Nigeria Data Protection Act (NDPA) 2023.

The development places fresh attention on data governance within Nigeria’s rapidly expanding digital finance space, where concerns around privacy, security, and regulatory compliance continue to grow alongside increased adoption.

While the investigation is ongoing, the NDPC maintains that its primary objective remains the protection of data subjects and the strengthening of institutional accountability across the ecosystem.