BytToBreach hits Nigerian institutions

Nigeria’s data regulator is investigating an alleged breach campaign tied to the handle ByteToBreach after claims involving Remita, Sterling Bank and other entities surfaced in late March and early April 2026. (guardian.ng) The Nigeria Data Protection Commission said notices of investigation were served on April 1, 2026, and said the probe covers the scope of the breach, the data involved and the mitigation steps taken. The commission’s statement was reported on April 5. (guardian.ng) A separate report published April 3 said ByteToBreach had posted what appeared to be know-your-customer files, identity records, screenshots, database folders and user hash information linked to Remita-related systems. FIJ said many of the exposed folders and repositories were still accessible when it checked them. (fij.ng) CyHawk Africa, a threat-intelligence firm, said in an April 1 advisory that the actor used Sterling Bank as a pivot into Remita Payment Services and claimed to have taken cryptographic material for more than 16 Nigerian banks, 588 gigabytes of know-your-customer documents and Remita source code. Those claims have not been confirmed by Nigerian authorities in public. (cyhawk-africa.com) The Corporate Affairs Commission added a government-agency dimension on April 16, when it confirmed unauthorized access to “limited aspects” of its information systems and said it was working with the National Information Technology Development Agency and other partners on containment. Daily Post reported the commission said response protocols were activated immediately. (dailypost.ng) The immediate issue is not only whether files were stolen. In payment systems, cryptographic keys work like master seals that help institutions verify transactions, and CyHawk said banks using Remita’s straight-through-processing network should treat settlement keys as compromised and rotate them. (cyhawk-africa.com) Nigeria’s data law sets deadlines once an organization becomes aware of a risky breach. Section 40 of the Nigeria Data Protection Act, 2023, says a data controller must notify the commission within 72 hours, and must also inform affected people in clear language when the risk is high. (ndpc.gov.ng) The regulator has signaled it is willing to enforce that law. The Guardian reported the commission fined Fidelity Bank N555.8 million in 2024 over data-protection violations, one of the largest penalties issued under the current regime. (guardian.ng) ByteToBreach is not a new alias. FIJ said researchers at KELA and SOCRadar had tracked the actor since at least mid-2025 across Telegram, Signal, Pastebin and cybercrime forums, while CyHawk said the group’s model is to steal data, demand payment and publish anyway. (fij.ng, cyhawk-africa.com) Sterling Bank and Remita were under formal investigation as of early April, while the Corporate Affairs Commission publicly acknowledged its own incident on April 16. The next hard facts are likely to come from regulator findings, customer notifications or further technical disclosures rather than from the threat actor’s posts alone. (guardian.ng, dailypost.ng)