Alleged Data Breach Targets Nigerian Microfinance Firm Fast Credit, Exposing Nearly 1 Million Records An alleged data breach has surfaced in Nigeria’s financial sector, with threat actors claiming to have compromised Fast Credit Finance Company Limited, a Central Bank of Nigeria (CBN)-licensed microfinance institution. The breach was first publicized on April 25, 2026, via a post on X (formerly Twitter) by the threat intelligence account Dark Web Informer, which tagged the hacker iProfessor and described the incident as one of Nigeria’s largest financial sector breaches. The attacker is reportedly offering 870 GB of data containing 939,887 records for sale on a cybercrime forum, limited to just five buyers. The stolen data includes highly sensitive customer information, such as: - Personal identifiable information (PII) - Government-issued ID scans - Loan and credit transaction records - Bank statements - Customer correspondence and contractual agreements - Next-of-kin details - Personal photographs and selfies Of particular concern is the inclusion of records belonging to Nigerian police officers and law enforcement personnel, raising risks of doxxing, targeted scams, blackmail, and potential threats to officer safety and ongoing investigations. While the breach remains unverified, screenshots shared by the threat actor appear to show sample loan documents and internal records. As of April 26, 2026, neither Fast Credit, the CBN, nor the Nigeria Data Protection Commission (NDPC) has issued an official confirmation or denial. ### A Surge in Cyberattacks Across Nigeria’s Critical Sectors The Fast Credit breach is part of a wider wave of alleged cyber incidents targeting Nigeria’s financial, government, and educational institutions in early-to-mid 2026. Key attacks include: - Corporate Affairs Commission (CAC) – Claimed by the group ByteToBreach, which allegedly exfiltrated 25 million files (750 GB), including company ownership records, director details, and beneficial ownership data. The CAC temporarily shut down its registration portal, sparking fears of shell company fraud and weakened anti-money laundering efforts. - Sterling Bank & Remita – Also targeted by ByteToBreach, with stolen data reportedly including customer accounts, Bank Verification Numbers (BVNs), National Identification Numbers (NINs), and staff records. Remita, which processes government payments, was particularly vulnerable due to its role in handling salaries and taxes. - Economic and Financial Crimes Commission (EFCC) – A threat actor linked to Nullsec Nigeria (alias “ki4t”) claimed a breach on April 21, 2026, allegedly leaking agent names, phone numbers, operational code names, and password hashes, potentially compromising investigations. - Lagos State University (LASU) & Federal Housing Authority – Additional targets in the recent spree, indicating that both public and educational institutions are under sustained attack. Financial institutions like Fast Credit are prime targets due to the high value of loan data, IDs, and personal records for fraud, identity theft, and dark web resale. ### Regulatory Response & Broader Implications The Nigeria Data Protection Commission (NDPC) has acknowledged the surge in attacks, launching investigations into multiple incidents, including the CAC breach. Vincent Olatunji, NDPC’s National Commissioner, has directed a review of access controls, data privacy assessments, vulnerability testing, and third-party processor due diligence. The NDPC has also issued advisories urging organizations to: - Appoint trained data protection officers - Enforce multi-factor authentication (MFA) - Update software and conduct security tests - Encrypt sensitive data and maintain backups If confirmed, the Fast Credit breach could lead to widespread identity theft, financial fraud, and blackmail, particularly given the inclusion of law enforcement records. The EFCC breach similarly raises concerns about operative safety and compromised investigations. Security experts warn that Nigeria’s digital infrastructure faces systemic vulnerabilities, including: - Legacy systems and unpatched software - Misconfigured cloud storage - Weak passwords and insufficient staff training With Nigeria losing billions annually to cybercrime and the 2027 general elections approaching, there are growing fears that critical systems like the Independent National Electoral Commission (INEC) could become future targets. For now, the Fast Credit breach remains unverified, as is common with dark web claims where actors post samples to attract buyers. Official confirmation would require forensic analysis or acknowledgment from Fast Credit or regulators. The NDPC continues to monitor developments, emphasizing cybersecurity as a national priority.

NDPC Launches Investigation into Alleged Data Breach Involving Remita, Sterling Bank The Nigeria Data Protection Commission (NDPC) has initiated an investigation into a suspected data breach involving Remita Payment Services Ltd., Sterling Bank, and other entities, reflecting heightened regulatory oversight in Nigeria’s digital payments sector. In a statement released on Sunday by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations, the NDPC confirmed that a Notice of Investigation was served on the affected parties on April 1, 2026, as part of standard procedural protocols. The Commission has since begun collecting information from relevant organizations and individuals to support the inquiry. The investigation aims to assess the scope of the breach, including the categories of personal data exposed, the nature and extent of the incident, potential risks to affected individuals, and any mitigation measures already implemented. The NDPC emphasized its commitment to ensuring data subjects are protected through robust technical and organizational safeguards. The probe comes amid rising concerns over data privacy and security in Nigeria’s rapidly expanding fintech and banking industries, where vast amounts of personal and financial data are processed daily. Vincent Olatunji, National Commissioner and CEO of the NDPC, stated that the review would extend to organizations using digital payment platforms without full compliance with data protection requirements. These entities will be evaluated under the Nigeria Data Protection Act 2023, as part of broader efforts to enforce compliance and strengthen the country’s data protection framework.