Cyberattacks: Experts Say Nigeria’s Digital Economy At Risk

BY OLAMIDE OJUOKAIYE, Lagos AND INNOCENT ODOH, Abuja

Data protection has become a critical economic and security imperative for Nigeria as the country grapples with a surge in sophisticated cyberattacks targeting its financial systems and public institutions, a United Kingdom-based lawyer and data protection expert, Temidayo Akindele, has warned.

The concerns come amid growing warnings by cybersecurity experts that Nigeria is witnessing a dangerous shift from opportunistic cybercrime to highly coordinated, intelligence-driven attacks.

The experts decried the recent hacking of some of Nigeria’s financial institutions and the ease with which criminals have breached the data security of these fintech institutions, especially the Corporate Affairs Commission (CAC), Sterling Bank, and Remita, and carted away important and sensitive data and company signatures.

The deleterious development has once again exposed weaknesses in the sector and the need for a comprehensive review of the country’s cybersecurity ecosystem, as well as robust safeguards for businesses.

Speaking with LEADERSHIP, Akindele stressed that Nigeria’s rapid digital transformation across banking, commerce and social interactions now demands a fundamental shift towards stronger data governance, privacy culture and ethical technology use.

“We are in a digital era. These things are not going to go away. Building a privacy culture is not just about avoiding risk; it is our passport to participating safely and competitively in the global digital economy. It is, in fact, an urgent economic imperative,” she said.

She noted that as more Nigerians migrate daily activities online, trust must remain the foundation of digital interactions.

“People want to know that the person at the other end of their digital interaction is real and that they’re not being scammed. Having secure and safe digital platforms builds trust. With the rise in cloud-based services, people need confidence that their information is secure and not accessible to unauthorised persons,” she added.

Akindele also emphasised that weak data ethics and poor handling of personal information from organisations and individuals are fuelling systemic vulnerabilities.

“With the rise of algorithms, artificial intelligence and online profiling, data must be used responsibly. You want data to be used for good, not for harmful purposes. Without proper safeguards, digital interactions can expose individuals and businesses to significant risks,” she said.

Cybersecurity expert Adewale Odunsi told LEADERSHIP that recent breaches indicate that cybercriminals are increasingly targeting critical infrastructure.

“What we are seeing is no longer random hacking. These are coordinated operations targeting identity systems, financial rails and national databases.

Once attackers gained access to core infrastructure like the Corporate Affairs Commission (CAC) or payment platforms, they can build entire fraud ecosystems around stolen data,” he said.

Odunsi warned that the growing trend of data exfiltration makes detection more difficult.

He stressed, “These are unlike ransomware, where systems are locked, and alarms are raised immediately, data theft can go unnoticed for months. By the time it is discovered, the data may already have been sold or weaponised,” he said.

On his part, senior business analyst & digital transformation specialist, Olalekan Olubiyi, remarked that the recent hacks experienced by CAC and other financial platforms are a massive wake-up call. “The fact that a hacker could gain unauthorised access to Remita from hacking Sterling Bank shows how interconnected our systems are. With Open Banking coming into play, it puts a huge spotlight on API Security and DevOps best practices. We must prioritise:. End-to-end data encryption both at rest and in transit, undertake Continuous VAPT (Vulnerability Assessment and Penetration Testing) instead of just annual audits. And lastly, API Rate Limiting & Behavioural Monitoring to spot when a ‘trusted partner’ starts acting like a bot”, he averred.

Similarly, a data protection specialist, Chioma Emmanuels, cautioned that the long-term implications of such breaches extend beyond immediate losses.

“The real danger lies in how stolen information is used over time. With access to KYC data, attackers can impersonate businesses, open fraudulent accounts or bypass verification systems. This is not just a cybersecurity issue; it is an economic and legal risk,” she said.

Cyber security Expert, Hanniel Jafaru told our correspondent that the Implications are enormous to the organisations affected and to the country in general.

He said, “It is a serious attack and generally a lot of things were lost during the attack, one being the fact that filings of directors were stolen and ownership details are exposed, and they have direct phone details which can be used to carry out spoofing attacks and further attacks such as email spoofing, phone number spoofing and the like.”

Jafaru also stated that the hackers also captured filing so they can know the actual amount filed by every company and business organisation, adding that they also captured signatures, which carries a huge risk.

“It invariably means that the hackers captured the signatures of almost everybody who owns a company in Nigeria, and they can use those signatures to make public requests, and an organisation can process the request because the signatures appeared to have been authenticated as the right signatures.

“Imagine a bank receiving a letter with a signature that a certain amount of money be transferred to certain individuals or organisations, the bank will verify that the signature is correct and use that authentication to carry out instructions, and if this was eventually discovered to be a fraud, you can imagine what that will cost to the company or organisation,” he added.

When asked about the possibility of tracing and arresting the hackers, Jafaru noted that the attackers are most likely not from Nigeria, but rather Nigerian fintech organisations, and that the Corporate Affairs Commission (CAC) has become their latest victim.

He said further that tracking the attackers might be difficult because of the challenges the country has with cybersecurity, stressing that “it is difficult to identify who is behind the IP address. Even if the IP address is traced to Nigeria, it is still difficult because one IP can be used by 50, 000 people.”

He lamented poor enforcement from regulatory agencies, stressing that it is only the Nigeria Data Protection Commission (NPDC) that so far designed a task force to tackle this kind of challenge.

“We don’t have an agency that regulates cybersecurity in this country. We need to have such legalised agencies to protect critical national assets. The agencies don’t know the extent of the damage cyberattacks can cause to the organisations they regulate.

“We therefore have to establish an agency specialised in regulating cybersecurity, and we must do that as soon as possible,’’ he added.

The Nigeria Data Protection Commission (NPDC) has made efforts in this regard, but at the time of filing this report on Sunday, the agency had yet to respond to requests regarding the unfortunate development, even as it assured a comprehensive response at a later time.

Another expert who wants to remain anonymous said organisations need to invest more in cybersecurity. He noted that Nigerians want to be part of the digital economy but are not ready to protect their investment. He said that many people are using an internet provider that does not have the expected security architecture, but because it is cheaper, they are switching to it.

“People are looking to minimise cost, but there is a lot of risk involved in using a particular internet provider, which many Nigerians are patronising, but it does not have a security architecture,” he added.

He blamed the situation on poor regulation and also suggested that the regulatory agencies must put measures in place to track these hackers, even as he urged severe punishment on the perpetrators of this crime.

These warnings come amid a wave of cyberattacks that have exposed vulnerabilities across Nigeria’s public and private institutions, raising concerns about data security and financial stability.

No doubt that Nigeria’s digital backbone is currently under intense pressure following coordinated attacks targeting the Corporate Affairs Commission (CAC) and key financial platforms.

As of 2025, more than N20 billion has reportedly been recovered from hackers by the Economic and Financial Crimes Commission (EFCC), highlighting the scale of the threat. While the latest disruption centres on the CAC, which temporarily shut down its company registration portal after detecting unauthorised access to its systems. As the statutory body responsible for business registration in Nigeria, any compromise of its infrastructure poses serious risks to the country’s commercial and legal framework.

Preliminary findings suggest that the breach may be linked to a cybercriminal syndicate known as ByteToBreach, which specialises in data exfiltration, stealing and monetising sensitive information without necessarily disrupting operations. Investigations indicate that the group may have exploited vulnerabilities in application programming interfaces (APIs) and database systems, potentially enabling manipulation of corporate records and execution of complex fraud schemes.

The threat appears broader, as the group has also claimed responsibility for breaching the Remita payment platform, alleging access to about 3 terabytes of data, including sensitive Know Your Customer (KYC) records. For Nigeria’s financial ecosystem, such breaches strike at the heart of identity verification systems used by banks and fintech firms, exposing individuals and businesses to fraud while eroding trust in the digital economy.

EFCC chairman, Ola Olukoyede, had earlier revealed that insider collaboration is compounding the problem, disclosing that cyberattacks on at least six banks led to losses exceeding N20 billion.

“What they do is to get a device and plug it into the banking system in connivance with insiders. From anywhere in the world, they can control the platform and move billions within seconds,” he said.

While authorities have remained cautious in public disclosures to avoid panic, experts warn that the scale of the threat may be far greater than currently known.

The Nigeria Data Protection Commission (NDPC) has also flagged rising risks, urging compliance with the Nigeria Data Protection Act, 2023, and recommending stronger safeguards, such as multi-factor authentication, a zero-trust architecture, and continuous monitoring.

However, Akindele argued that beyond regulation, Nigeria must address deeper cultural and institutional gaps in data handling.

“We have a culture of informal information sharing, which creates vulnerabilities. People share personal data carelessly, record private conversations without consent and misuse customer information. This exposes both individuals and businesses to risk,” she said.

She cited everyday practices among small businesses and online vendors as examples of weak data protection.

“A shop attendant collecting customer data must understand confidentiality. A vendor should not post a customer’s image online without consent. Data protection requires fairness and respect for privacy,” she added.

She warned that artificial intelligence introduces new risks, including deepfakes, bias and misinformation.

AI is powerful but must be used with caution. Without proper oversight, it can generate false information or expose sensitive data. Organisations must adopt secure, enterprise-level AI systems to avoid breaches,” she said.

Akindele further called for nationwide data protection awareness and mandatory training across sectors.

“We need to move beyond policies on paper. Data protection awareness must reach everyone, from schools to government institutions and private organisations. Every individual must understand their role in protecting data,” she said.

She commended the NDPC’s efforts to improve digital literacy but stressed that enforcement and education must go hand in hand.

“Any organisation seeking to do business globally will be assessed on its data protection standards. Without a strong privacy culture, Nigeria risks losing economic opportunities,” she noted.

The experts warned that as Nigeria pushes for digital inclusion, repeated cyber breaches could erode public trust and undermine economic growth.

A government policy analyst, Ayodeji Ake, said cybersecurity must be treated as a national priority.

“Without urgent investment in infrastructure, regulation and human capacity, Nigeria’s digital future will remain vulnerable,” he added.

While calling for stricter enforcement, he asserted that authorities must impose penalties for non-compliance, strengthen threat intelligence systems and pursue cybercriminals aggressively. Without deterrence, the gap between attackers and the vulnerable will continue to widen.