Data Breach Exposé: How Open Security Gaps Exposed Millions of Nigerians’ Data

A recent exposé has revealed major security lapses across key Nigerian institutions, exposing millions of sensitive records and raising serious concerns about data protection and accountability.

According to the report , a threat actor identified as ByteToBreach gained access to multiple systems, including those linked to financial services and government databases, by exploiting vulnerabilities that had reportedly remained unaddressed for months.

At one financial institution, the breach stemmed from an unsecured testing server with a known critical vulnerability that had not been fixed for three months. The attacker reportedly spent several days inside the system, documenting access and extracting sensitive information.

The situation escalated when login credentials found within the compromised system were used to access additional platforms, highlighting poor data storage practices and weak internal controls.

More alarming findings were linked to a government database that serves as a central repository for corporate records in Nigeria. The system reportedly used predictable user identification patterns and lacked adequate authentication safeguards, allowing unauthorized access. The attacker is said to have gained administrative-level control, exposing personal and corporate data on a massive scale.

The report claims that tens of millions of documents—amounting to hundreds of gigabytes of data—may have been accessed or downloaded, including identity records, corporate filings, and sensitive personal information.

Despite the scale of the breach, the report alleges that affected institutions failed to promptly notify the public, raising questions about compliance with the Nigeria Data Protection Act 2023, which mandates timely disclosure of data breaches to both regulators and affected individuals.

The incident has sparked criticism over what has been described as “institutional silence,” with concerns that affected individuals were left unaware and unprotected while their data was potentially exposed.

Experts warn that such lapses not only undermine trust but also expose individuals and businesses to risks such as identity theft, fraud, and financial loss.

The revelations highlight the urgent need for stronger cybersecurity practices, stricter regulatory enforcement, and greater transparency from institutions handling sensitive data in Nigeria.