The Nigeria Data Protection Commission has raised concerns over coordinated cyber threats targeting Nigeria’s financial systems and critical digital infrastructure, warning organisations to urgently strengthen their data security frameworks.
The commission issued the alert in a Data Protection Advisory directed at data controllers and data processors across the country.
According to the regulator, its technical assessment revealed that “shadowy threat actors” have launched coordinated cyber operations targeting key systems that support financial services and digital platforms in Nigeria.
The warning reflects growing regulatory concern about the vulnerability of institutions that power payment platforms, banking services, telecommunications networks, cloud services, and government digital systems.
In the advisory signed by the Commission’s Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, organisations that handle personal data were urged to immediately reinforce both technical and organisational safeguards to protect Nigerians and other data subjects.
“The Commission strongly advises that data controllers and processors (including MDAs) are to urgently step up their technical and organisational measures to ensure the privacy of all Nigerians and other data subjects in line with the Nigeria Protection Act, 2023,” the advisory stated.
The NDPC outlined several steps organisations should take to reduce exposure to cyber threats.
These include appointing trained and certified Data Protection Officers, implementing comprehensive privacy policies and information security standards, and conducting Data Privacy Impact Assessments.
The Commission also advised organisations to deploy robust identity and access controls such as Multi-Factor Authentication, adopt zero-trust security architecture, implement network segmentation, and promptly address system vulnerabilities through continuous patch management.
Additional recommendations include strengthening the protection of cloud infrastructure, application programming interfaces, databases, and access credentials.
Organisations were also urged to implement real-time monitoring, logging, and threat detection systems, alongside encryption and secure credential management practices.
Furthermore, the regulator encouraged entities to conduct regular Vulnerability Assessment and Penetration Testing on critical systems, while maintaining consistent backup, recovery, and resilience testing protocols.
Under the Nigeria Data Protection Act 2023, organisations acting as data controllers must report personal data breaches to the Nigeria Data Protection Commission within 72 hours of becoming aware of the breach if it poses a risk to the rights and freedoms of individuals.
Where a breach is likely to result in high risk to affected individuals, the organisation is also required to notify the affected data subjects immediately and provide guidance on steps they can take to mitigate potential harm.
The NDPC said strict compliance with these measures is essential to safeguarding Nigeria’s rapidly expanding digital ecosystem against emerging cyber threats.
