The Nigeria Data Protection Commission (NDPC) has raised a significant alarm regarding coordinated cyber threats that are actively targeting Nigeria’s financial systems and its critical digital infrastructure. The commission is urging all organizations to urgently reinforce their data security frameworks to mitigate potential risks.

In a Data Protection Advisory released on Thursday, the NDPC revealed that its technical assessment has uncovered activities by what it described as “shadowy threat actors.” These actors are reportedly carrying out coordinated operations against key national systems, posing a substantial risk to data integrity and service availability.

The NDPC specifically warned that institutions integral to the nation's financial operations, including those powering banking services, payment platforms, telecommunications, cloud infrastructure, and public-sector digital services, are increasingly vulnerable. This heightened vulnerability increases the risk of severe data breaches and disruptive service outages.

The advisory, signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, called for immediate and decisive action from all organizations that handle personal data. The commission emphasized the need for organizations to comply with the Nigeria Data Protection Act, 2023 (NDP Act).

To reduce exposure to cyber risks, the NDPC outlined several essential steps for organizations. These include the appointment of trained and certified Data Protection Officers, the implementation of comprehensive privacy policies, and the regular conducting of Data Privacy Impact Assessments. These measures are crucial for building a robust defense against sophisticated cyber threats.

Furthermore, the commission stressed the critical need for stronger technical safeguards. Recommendations include the implementation of multi-factor authentication, the adoption of a zero-trust security architecture, and effective network segmentation to isolate critical systems and limit the potential impact of any breach.

Beyond internal systems, the NDPC highlighted the importance of securing external-facing digital assets. This includes protecting cloud infrastructure, application programming interfaces (APIs), databases, and access credentials, which are often prime targets for attackers.

The regulator also advised organizations to deploy real-time monitoring, logging, and threat detection systems. Implementing robust encryption and secure credential management practices were also emphasized as vital components of a comprehensive security strategy.

“Entities should conduct vulnerability assessment and penetration testing on critical systems and maintain regular backup, recovery, and resilience testing,” the NDPC stated in the advisory. These proactive measures are essential for identifying weaknesses and ensuring business continuity in the face of potential cyber incidents.

This advisory comes at a time of heightened regulatory scrutiny, particularly following the NDPC's announcement of an ongoing investigation into an alleged data breach. The investigation involves Remita Payment Services Ltd., Sterling Bank, and other entities, underscoring the real-world implications of data security lapses.

The probe is focused on determining the precise nature and scope of the alleged breach, identifying the categories of personal data affected, assessing the risks posed to data subjects, and evaluating the adequacy of any mitigation measures that may have been taken. The NDPC reiterated its commitment to enforcing compliance with the Nigeria Data Protection Act 2023, warning that failure to implement appropriate safeguards could expose millions of Nigerians to significant privacy violations and cyber risks.