With Nigeria’s widening digital space, the spate of data breaches has elicited worries in some quarters over its effects on businesses and national security. LADESOPE LADELOKUN reports on the burgeoning cases of data breaches and how to curb the menace

At first, there was no particle of doubt harboured by a former Deputy Provost of the Nigerian Institute of Journalism, Dr Dele Omojuyigbe, when fraudsters fed him his accurate account information with a new generation bank.

With each confidential information cementing his trust, Omojuyigbe lowered his guard, unknowingly opening the door for the proverbial thief to loot and destroy as he innocently answered questions put across to him after his data had been harvested.

“I was conned. They were asking me questions. But because of all the information they gave me, I believed them. No one could have such information except people working in the bank. So, I let down my guard. They told me many things no one could have known except people working in the bank. The information I was given were the things I filled in my form. Confidential report,“ he told Sunday Telegraph.

Still reeling under the pain of his lost money after his sad data breach experience, the journalism lecturer had his account cleared again despite assurances by his bank that solid measures had been put in place to ensure it was secure after lodging a complaint.

“When it happened, I went to the bank to complain and they blamed me for what happened. Well, I said no problem. Let me close the account. They told me I shouldn’t. I told them I was no longer comfortable with the account. But they assured me that there was no problem. They said they would put security and rectify the problem. They also told me to change my ATM card. I did. So, the following morning, I transferred N100,000 from one of my accounts in another bank to the account. I did that in Agege when I was coming from home.”

He added: “Before I got to school, I had received an alert that the N100,000 had been withdrawn by an unknown person. I went straight to the bank, reminding them of their assurance. They had to be begging. The managers and everyone were calling. I stopped transactions in the bank that day because I was furious. I stopped everyone from working. I eventually got my money back. They said the lady that handled the case was new on the table. They said she didn’t do what she ought to have done.”

‘I’m not a person you can scam’

In a Facebook post, consumer rights advocate, Sola Salako, revealed the identity of a suspected scammer, who stated pieces of information she considered confidential in an attempt to get her to lower her guard.

She wrote: “First Bank of Nigeria Limited one Mrs Kate Okafor, a scammer just called me on 08104928678. She had my date of birth and account number. Your data is compromised!”

When Sunday Telegraph reached out to her, she narrated how telling Okafor she was not one to be scammed after futile attempts to extract information from her ended their conversation abruptly.

“I got a call from a number I didn’t know. The lady said her name was Mrs Kate Okafor. She said she was calling from First Bank customer service and asked if I received a message from the bank, that the bank was upgrading its system and some discrepancies were found in my record. She mentioned my date of birth and said they found conflicting dates of birth in my record. I knew it was a lie. There is no way there would be two dates of birth in my record. I have never created any confusion about my date of birth.And the account is not one I use all the time.

“So, I know there is nothing wrong with my account. I said what she was saying didn’t make sense. Then, she asked, ‘Is this not your account number?’ She stated my account number. So, where did she get my account number and my date of birth that’s supposed to be something confidential? So, how did Mrs Okafor get my information that she was able to call me. Of course, she has my phone number. That means she has access to my basic information from First Bank. So, they need to check it. It means their system is compromised.”

How fraudsters sell NINs,BVNs,steal victims’ money

The Economic and Financial Crimes Commission (EFCC), on June 25, issued a red alert, stating that about 12, 000 Nigerian youths across the country buy personal information of victims(Bank Verification Number, National Identity Number, et al)

“It is important to disclose that this fraud scheme is largely driven by an army of young Nigerians offering a paltry payment of between N1, 500 and N2,000 to their victims to make them surrender a copy of their personal information details to them and sell the same information to some Fintech Institutions for about N5,000,” the commission stated.

On how the pieces of information are used, the EFCC explained: “These information are then used to open accounts with Fintech companies for investment scams and sundry fraudulent schemes.”

Also, the commission disclosed that unsuspecting Nigerians are baited with charitable payments, airline ticket discounts, investment opportunities by fraudsters, tricked into revealing sensitive personal data. The scheme, the EFCC said, involves the use of Malware to gain unauthorised access to the account information of unsuspecting victims.

“A case in point was a “Promo” offering the public 50 per cent discount of ticket purchase in a leading foreign airline. Victims are led to pay a token of N500 into the account of the airline. The N500 payment, which is now dressed as Charity payment is the leeway through which the fraudsters gain access to their victim’s personal information.

“The victims were deceived into downloading the App of the airline to be eligible for the discount. However, after downloading the App and gaining unauthorised access to their personal details, funds were moved from the victim’s bank account into an account in a Microfinance Bank,” it added.

With N100, we bought Minister Tijani’s NIN slip

Just last year, Executive Director of Paradigm Initiative, Gbenga Sesan, disclosed that his organisation bought Minister Bosun Tijani of the Communications and Digital Economy ministry’s Number (NIN) slip for just N100 while expressing a data breach and privacy concerns with Nigeria’s identification database.

“We got the NIN slip of the minister, Dr Bosun Tijani; we got the NIN slip of the number one data regulator in Nigeria, Dr Vincent Olatunji.

“We bought them for N100 each to demonstrate that this is not a joke. It basically means that your identity is for sale for N100.”

Dwelling on the implication of data breach on national security, he continued: “The real implication is that anything we can do with a NIN slip, we can get a SIM card with that. Who knows if anyone has the President’s SIM card right now. Or the National Security Adviser? A military general leading warfare in a place where they are dealing with terrorists?

“What if a terrorist bought the general’s NIN slip, got his SIM card and sent a message to the troops and said, ‘Meet me at 0700. 14 degrees north,’ just to ambush them? The implications are serious. It means that anybody can claim to be you. They can get your SIM card and do it.”

Rising data breaches

Over the years, despite efforts by government agencies to curb the spate of data breaches, concerns are still rife about the effects on businesses and implications for national security.

In the first quarter of 2025 alone, a global data breach report from cybersecurity firm, Surfshark, revealed that Nigeria recorded over 119,000 leaked data breaches.

According to the report, about 23.2 million Nigerian user accounts have been compromised since 2004. The report noted that 7.3 million unique email addresses were exposed. 13 million passwords were leaked alongside the accounts.

It added: “56 per cent of users whose accounts were compromised are at risk of identity theft, extortion, or unauthorised account access.”

Also, the Nigeria Data Protection Commission(NDPC) stated that it recorded a steady rise in investigations into privacy violation cases in 2022, 2023 and 2024, with 117, 177 and 213 cases respectively.

Wielding the big stick

Recently, the Nigeria Data Protection Commission fined MultiChoice Nigeria N766,242,500 for allegedly breaching the Nigeria Data Protection Act.

According to the commission’s Head of Legal, Enforcement and Regulations, Mr Babatunde Bamigboye, NDPC found, among other things, that MultiChoice violated the data privacy rights of its subscribers and individuals associated with them, who are not necessarily subscribers.

Bamigboye noted that the commission also discovered that MultiChoice engaged in the illegal cross-border transfer of personal data belonging to Nigerian data subjects.

He added: “The depth of data processing by Multichoice is patently intrusive, unfair, unnecessary, and disproportionate.

“This is a grave affront to the fundamental right to privacy as enshrined in Section 37 of the 1999 Constitution of the Federal Republic of Nigeria.”

Only last year, the NDPC said it fined Fidelity Bank 0.1% of its 2023 revenue, or $358,580, for violating data laws in opening a customer account.

Explaining how the expansion of the digital ecosystem has increased the risk of being scammed in an interview with Sunday Telegraph, cybersecurity expert and Chief Technology Officer, Digital Encode, Dr Seyi Akindeinde, said: “It is not that we are not doing anything right. More people are moving online these days. There are more platforms. There are more Fintechs. There is an expansion of the digital ecosystem. These days, everybody is moving online. There are more solutions online. There are more educational solutions online. There are more payment systems online. This year, I read that there are more people with ATM cards, more people ordering food online, more people doing online banking. People that didn’t do all of these last year are getting online.”

Concerns over Japa, internal collusion

Speaking on how the quest for greener pastures abroad by techies in financial institutions and corrupt staff deepen the data breach crisis, Akindeinde said : “Institutions can do more. I think the problem is two-fold . The first is that a lot of these institutions are losing a lot of their staff to the Japa(emigration) thing. And it’s not easy to fill the blank space. Imagine a person that has been working in a place for six to seven years and he already knows the system, and all of a sudden, he leaves for Canada. There is no way you can quickly get somebody that will fill their space. I know some institutions that lost an entire department to Japa. It is not easy . If you get people, even when you train them, it is going to take a while for them to get to the level of the one that left.

“A lot of these things you are seeing are due to some unscrupulous elements. Of course, financial institutions can do better. I know a few banks that have lost 50 per cent of their top staff to Japa. And it’s not easy to replace them, especially the techies that work in the backend. It is not easy to replace them. Even if you are a degree holder, you still have to be trained. Most of the sharp practices have to do with internal collusion.”

In its ‘Reports of Fraud and Forgeries in Nigerian Banks’’ between the second quarter of 2021 and Q2 2023, the Financial Institutions Training Centre(FITC), expressed worries about the involvement of bank workers in fraud cases in Nigeria. According to the report, 19 employees of banks were sacked between April and June 2022, due to their involvement in fraudulent activities. This figure, FITC said, represents a 90 per cent increase when compared to the 10 employees sacked in the first quarter of 2022.

‘How we’re tackling data breaches’

Speaking on the measures taken by the NDPC to tackle data breaches, the commission’s Head of Media, Itunu Dosekun, said the commission had launched several awareness campaigns using both traditional and digital media.

“One of our innovative steps was the engagement of a social media influencer as a Data Protection Ambassador, to help drive the message of data privacy and protection across various audiences, especially the youth. The Commission has also engaged extensively with Ministries, Departments, and Agencies (MDAs) across sectors. These engagements include advocacy visits to promote awareness of the importance of data protection, the risks associated with not safeguarding personal data, and the consequences of data breaches. We have provided free training and organised workshops for both public and private sector organizations,” he told Sunday Telegraph

He continued: “In line with our Public-Private Partnership (PPP) model, the Commission has partnered with several organisations across both the public and private sectors. Some of these partnerships have resulted in the signing of Memoranda of Understanding with key institutions such as NICOM, SMEDAN, the Ministry of Youth Development, the National Lottery Regulatory Commission, and various state governments. These collaborations aim to support regulatory compliance, increase public awareness, build capacity, prevent data breaches, and promote a culture of data protection across Nigeria. Additionally, we have licensed over 240 Data Protection Compliance Organisations (DPCOs) to support the implementation of compliance measures and to raise awareness nationwide.”

According to Dosekun, international collaboration remains a priority of the commission, noting that it has established partnerships with countries including Ghana, Kenya, Canada, the United Kingdom , the United States, and the United Arab Emirates to foster knowledge exchange and address issues related to cross-border data transfers, ensuring that the personal data of Nigerians, both within the country and abroad, is securely protected.

Our challenges – NDPC

Commenting on the progress and the challenges confronting the NDPC in its drive to significantly curb data breaches, Dosekun said: “When we began this journey, there were fewer than 5,000 data protection professionals in Nigeria. Recognising the need for over 500,000 Data Protection Officers (DPOs), we domesticated the certification process to encourage local participation in this growing field. So far, over 500 Nigerians have been trained and certified at no cost, and we now have more than 20,000 experts in the ecosystem, contributing to job creation and national capacity building. To further scale our impact, we have launched the Virtual Privacy Academy, an innovative platform where data protection is taught in an engaging, movie-style format to make learning more accessible and relatable. In addition, we have introduced a major training initiative aimed at equipping one million Nigerian youths with data protection skills, as part of our ongoing partnership with the Ministry of Youth Development.

“Our approach is not to penalise organisations immediately. Data protection is still emerging globally, and our primary aim is to raise awareness and support businesses rather than stifle them. We prioritise dialogue, understanding, and remediation. However, in a few exceptional cases, such as the Bank and MultiChoice, regulatory action was necessary due to non-cooperation during investigations.

“Some of the major challenges we continue to face include limited public awareness, a shortage of trained DPOs, and insufficient funding.”

Never share your data – NIMC warns

Following the disclosure by the EFCC that some citizens share their personal information for financial rewards, the National Identity Management Commission, NIMC, warned that it would not be held responsible for any personal information shared by an individual directly or by proxy for the purpose of financial gain or inducement.

According to a statement by the Head, Corporate Communications of NIMC, Dr. Kayode Adegoke, the commission stated: “Nigerians have been informed repeatedly in the past by the NIMC not to disclose their NIN to any unauthorised individual or organisation. Equally of note is that any NIN presented to access services must be duly verified before granting such services. Nigerians and service providers should note this.”

It urged the general public is to download the NIN App on either Apple iOS or the Google Play Store to enjoy seamless benefits, including but not limited to protection and security of the NIN, and the power to control personal information on the NIN”

FCCPC fails to speak

Efforts to get the Director of Corporate Affairs, Ondaje Ijagwu, of Nigeria’s consumer protection agency,the Federal Competition and Consumer Protection Commission (FCCPC), to speak on how the commission is performing its statutory role of protecting Nigerians hit a brick wall as he neither responded to several calls put across to him nor messages.

Need to scale up public awareness

According to Dr Seyi Akindeinde, there is a need to intensify public awareness to check the activities of cyber fraudsters.

“We have more breaches because a lot of them(victims) are not aware of the security practices they should engage in. It is not that companies and individuals are not doing what they are supposed to do. They are doing it but it still boils down to what people do. There is nothing you can do if someone is willing to give their financial details… What we advocate now is for people to be vigilant.

“They should not click on any link. They should make sure that wherever they are putting their details online is legitimate. And, people should also use two-factor authentication. Two or three weeks ago, they said almost two billion email addresses were compromised with their password online. I think there should be more public awareness.”

Aligning her thoughts with Akindeinde, consumer rights protection advocate, Sola Salako, noted :“The consumer protection system in Nigeria is still a work in progress. The kind of protection that you expect, you may not get it as soon as you should. So, the first line of defence is your own enlightenment. You need to empower yourself. You need to know your rights. You need to know how to protect yourself and not believe everything you read or hear. Do not respond immediately to the first information, either by email, by phone, Whatsapp or by whatever means, no matter how alarming it feels . That’s the first rule. Instead of responding to the message or information you get, pick up your phone and call the service provider. Initiate the call. Don’t respond to any message sent online.

“The government is supposed to do more. CBN is supposed to put more pressure on banks to protect people’s data. There are more structures they need to put in place to ensure that unscrupulous persons like Mrs Kate Okafor don’t have access to information. These people are more and more brazen and they have access to information that will convince you that something must be wrong with your account.”