Sometime in late March, a threat actor known as ByteToBreach waltzed into Sterling Bank’s systems through a back door the bank already knew was broken and had left unrepaired for three months.
The actor spent nine days inside, documented everything he found, and then told the world about it through a post on a criminal forum.
Of the breaches that have happened, Sterling Bank said nothing to its customers. Remita said nothing to its customers. The Corporate Affairs Commission (CAC) issued a statement that described the incident in language so understated it barely resembled what had actually happened.
Though, the Nigeria Data Protection Act (NDPA) 2023 does not allow this.
None of them apologised. That is the story, not the hack itself, not the hacker, but the institutional silence that followed, and what that silence reveals about how Nigerian organisations treat the people whose data they hold.
To understand what happened across these three breaches, it helps to think of each one as a door that was left open. Not hidden, not locked, just open.
Sterling Bank’s door was a testing server, a pilot environment that developers use to try things before they go live on production systems. It had a known, maximum-severity vulnerability, the kind that cybersecurity teams flag with red alerts and urgent remediation timelines. The bank was aware of it. The door stayed open for three months anyway. ByteToBreach walked through it and spent nine days documenting everything inside.
Remita’s door was not even Remita’s fault to leave open. ByteToBreach found the keys to its systems sitting inside Sterling Bank’s files.
Production credentials, the kind of login details that should live in a secure, access-controlled vault, were stored in plaintext inside a code repository that the actor had already accessed through Sterling Bank.
Think of it this way: the actor broke into one office, found a clearly labelled key to the office next door hanging on the wall, and used it without breaking a sweat. Remita was never the target. It was collateral damage from a decision Sterling Bank made about how to store sensitive information.
The CAC’s door was different in character and far more alarming in consequence.
The CAC is not a commercial database holding transaction records. It is the legal ground truth of Nigerian corporate life, the authoritative record of every director, every shareholder, every registered address, every board resolution, every passport and NIN submitted to verify identity.
When the EFCC investigates a fraud, it checks the CAC. When a court disputes the ownership of a company, the answer lives at the CAC. When a bank conducts due diligence on a corporate client, the CAC is where it goes. This is foundational infrastructure, and ByteToBreach walked into it because the system used sequential integers as staff user IDs.
User 4705310. User 4705311. User 4705312. The actor used a standard security testing tool to count upward through those integers until the system returned a valid login token for user 4705317. No password. No second authentication factor. No challenge of any kind.
A randomly generated ID with billions of possible values would have made this attack computationally impossible. The CAC used a predictable counting sequence instead, and ByteToBreach’s own annotation on the screenshot he published confirmed exactly how elementary the method was.
Once inside, he created a personal account in the back-office system under the username bytetobreach, assigned himself staff ID 666, and proceeded to grant that account 474 administrative roles covering every functional area of the CAC’s administrative portal.
So, full access to staff records, company profiles, director and shareholder details, home addresses, dates of birth, passport scans, NIN numbers, and the document approval queue.
There was also a second access path that required no authentication at all: the CAC’s document management system allowed direct file downloads from a public-facing subdomain, with the only barrier being knowledge of the filename. The lock was not a lock. It was the assumption that nobody would guess.
ByteToBreach claims he downloaded approximately 25 million documents totalling 759 gigabytes of data, and confirmed to David Odes (who did a comprehensive analysis of the breaches here), Founder, Web Security Lab, who conducted a direct interview with the actor, that 25 million was actually the initial and conservative count.
The true volume of CAC data in his possession, he said, was probably higher.
What the CAC said, and what the evidence shows
The CAC’s public statement, issued on April 15, described the incident as “unauthorised access to limited aspects of its information systems.” The agency confirmed it is reviewing the incident and working with NITDA, and advised stakeholders to monitor their records, update login credentials, and remain cautious of unsolicited communications.
The artefacts ByteToBreach published tell a different story. They show full administrative access across every portal in the CAC system, 474 roles assigned, 759 gigabytes of data publicly downloadable, and two screen-recorded video files, titled Exfil.mkv and Faster_Exfil.mkv, documenting the exfiltration as it happened.
“Unauthorised access to limited aspects” and “full administrative access with 474 roles and video documentation of the data theft” are not descriptions of the same incident. One of them is accurate.
Was Sterling Bank negotiating a ransom?
The detail that should concern Sterling Bank customers most is not technical. ByteToBreach confirmed to Odes that he contacted all three organisations before publishing their data. The CAC did not respond. Remita did not respond. Their data was published. Sterling Bank responded, and what followed is a matter of public record now, even though the bank itself has never acknowledged it.
Sterling Bank, which has issued no public statement since March 27, has not sent a single notification to its customers, and which received a Notice of Investigation from the Nigeria Data Protection Commission on April 1 and stayed silent regardless, was negotiating a ransom of €250,000 with the person who held its customers’ data.
The negotiations reportedly stretched across weeks. ByteToBreach grew tired of the delays and published regardless, and hundreds of thousands of Sterling Bank customers spent that entire period unaware that their bank was having this conversation on their behalf.
What the law requires
None of this silence is legally defensible, and it is worth being precise about why.
The Nigeria Data Protection Act 2023 requires data controllers, a category that includes licenced financial institutions and government agencies, to notify the Nigeria Data Protection Commission within 72 hours of becoming aware of a breach that poses risk to individuals. It also requires notification to affected individuals without undue delay. Those are statutory obligations not aspirational guidelines.
Sterling Bank became aware of its breach no later than the point at which it began negotiating a ransom. The NDPA contains no clause permitting a data controller to delay customer notification while conducting back-channel negotiations with the person who holds their data.
The bank’s silence was not a crisis management strategy operating in a legal grey area. It was a direct and ongoing violation of the notification obligation, compounded by every day that passed without a word to customers.
The Nigeria Data Protection Regulation 2019, which predates the Act and established the foundational framework, requires institutions to implement reasonable security measures to protect personal data.
An unpatched maximum-severity vulnerability left exposed on an internet-facing server for three months, production credentials stored in plaintext inside a code repository, and a government registry accessible without authentication on a public subdomain are not reasonable security measures by any reading of that standard.
The regulatory exposure across all three institutions is significant, and the NDPC has already opened investigations into Sterling Bank and Remita.
The question that remains
When Odes asked ByteToBreach about the human consequences of publishing 25 million documents belonging to ordinary Nigerians who had registered companies, submitted passports, and trusted a government agency with their identity, the response was direct: “Protecting Nigerians is not my responsibility. That’s the duty of the government.”
The actor is not entirely wrong about where the primary duty lies. The CAC left its system accessible without authentication on a public-facing server. Sterling Bank left a known critical vulnerability unpatched for three months on an internet-facing environment. Remita committed production credentials to a code repository.
These are institutional failures, not acts of fate, and the regulatory framework that was supposed to catch them before a threat actor did clearly did not. The actor who exploited those failures is not absolved by pointing at who left the doors open, but every institution in that chain, the agencies that left the systems exposed, the regulators whose oversight did not catch it, and the bank that knew and went silent, carries a share of what followed.
What is harder to argue with is the absence of even a basic acknowledgment. The small business owner in Surulere who registered a company years ago and submitted their passport to a government agency did not choose to be part of this. They did not get a warning, they did not get a notification, and they did not get an apology from any of the three institutions that held their data and failed to protect it. They got silence from the organisations that owed them transparency, and a calm, matter-of-fact account from the hacker who took their information and posted it on a criminal forum.
ByteToBreach ended his exchange with Odes with a religious blessing and a polite goodbye, no gloating, no performance, just a permission to publish and a farewell.
Odes notes that the normalcy of it is the most unsettling thing in the entire exchange, because the doors ByteToBreach walked through were not hidden or obscure. All of them were findable by anyone who cared to look, and he looked because he had the time and the inclination. The institutions left the doors open because they calculated, correctly until now, that nobody was checking.
The question that follows is not really about ByteToBreach anymore. He has answered for himself. The question is about every institution in Nigeria that holds personal data and has never been asked to prove, rather than merely assert, that the doors are shut.
Technext Newsletter
Get the best of Africa’s daily tech to your inbox – first thing every morning.
Join the community now!
