Sterling Bank faces data breach allegations as customers express security concerns

There is growing concern within Nigeria’s banking sector following allegations of a major data breach involving Sterling Bank, with reports claiming that sensitive customer and employee information may have been exposed.

At the centre of the controversy is a dark web actor identified as “ByteToBreach,” who has reportedly claimed responsibility for infiltrating the bank’s systems and accessing a significant volume of data.

The individual allegedly stated that records linked to nearly one million customer accounts, as well as more than 3,000 employee profiles—including senior management details—were compromised.

According to sources familiar with the claims, the data purportedly accessed includes highly sensitive information such as Bank Verification Numbers (BVN), NUBAN account numbers, passport and driver’s licence details, transaction histories, loan records, credit scores, and internal staff data.

If verified, cybersecurity experts say such information could potentially be exploited for identity theft, financial fraud, and sophisticated social engineering schemes.

For many customers, the situation has triggered anxiety amid broader concerns about security in a country already battling financial crimes and kidnapping. Some customers have reportedly considered closing their accounts over fears that their personal data could fall into criminal hands.

“This is no longer just about digital banking convenience; it’s about personal safety,” a Lagos-based customer said, reflecting widespread apprehension.

READ ALSO: Sterling Bank stops account maintenance fees, reinforces customer-first banking revolution

Preliminary reports suggest that the breach may have involved a vulnerability in Oracle WebLogic Server, a middleware platform used to connect web-based applications to backend databases.

Sources claim attackers may have bypassed authentication layers and extracted approximately 2.2GB of data, including Personally Identifiable Information (PII) of over 900,000 customers.

Cybersecurity analysts note that compromised PII can be particularly valuable to fraud networks employing advanced “social engineering” tactics, where criminals use accurate personal data to deceive victims into disclosing one-time passwords (OTPs) or other confidential credentials.

However, as of press time, Sterling Bank had not publicly confirmed the extent of the alleged breach.

The Nigeria Data Protection Commission (NDPC) has launched a formal investigation into the matter. The probe reportedly extends to both Sterling Bank and Remita Payment Services Ltd., a major player in Nigeria’s digital payment ecosystem.

According to the Commission, a Notice of Investigation was issued on April 1, 2026. The National Commissioner and CEO of the NDPC, Vincent Olatunji, directed that the investigation be broadened, warning that any organisation found to have violated provisions of the Nigeria Data Protection Act (2023) would face regulatory sanctions.

Industry analysts say the alleged incident highlights the increasing cybersecurity risks facing financial institutions as digital banking adoption accelerates.

“In modern banking, cybersecurity is not optional—it is foundational,” a financial sector analyst said. “Even the perception of vulnerability can significantly damage public trust.”

The situation also raises wider questions about cybersecurity preparedness within Nigeria’s financial system, particularly as banks continue expanding digital services and onboarding millions of customers online.

Trust remains the cornerstone of banking operations, and experts warn that any confirmed lapse in protecting customer data could have long-term reputational consequences.

While investigations are ongoing and full details have yet to be officially verified, the episode has already sparked intense debate about data protection standards, regulatory oversight, and institutional accountability in Nigeria’s financial sector.

For customers, the concern is immediate and personal. For regulators, it is systemic. And for Sterling Bank, the outcome of the investigation could prove pivotal in shaping public confidence in the years ahead.