By Kelechukwu Uzoka Esq.
I have watched three significant incidents unfold in Nigeria within the space of weeks.
Remita – the infrastructure behind the Federal Government’s Treasury Single Account, processing transactions for millions of Nigerians – allegedly had roughly 3 terabytes of data exfiltrated, including KYC documents, password hashes, internal databases, and source code. Sterling Bank, one of Nigeria’s top commercial banks, faced similar claims around the same period. Then, on April 15, 2026, the Corporate Affairs Commission confirmed unauthorised access to its systems.
The CAC: Nigeria’s entire corporate registry. Every director. Every shareholder. Every registered address. Every beneficial ownership record. Every piece of identity documentation submitted to verify the people behind a company. When a bank conducts due diligence on a corporate client, they check the CAC. When anyone needs to establish the legal ownership of a company, it goes to the CAC. When the EFCC investigates a fraud, it pulls CAC records, and so it goes on and on to show how sacred the data with CAC is.
Which company, organisation or government agency is next?
This should disturb every lawyer, every business owner, every director, and every investor operating in Nigeria.
Here is what the law says. The Nigeria Data Protection Act 2023 places clear obligations on data controllers regarding breach notification, appropriate technical and organisational measures, data minimisation and accountability.
According to The Guardian newspaper, in August 2024, the NDPC imposed a N555.8 million fine on Fidelity Bank over data protection violations, and MultiChoice Nigeria was sanctioned N766.2 million for unlawful data processing, one of the largest penalties issued under the current regulatory regime. The enforcement posture is changing.
But enforcement after a breach is the last resort. Prevention is the obligation.
Here is where I think the legal profession has an underappreciated role.
Lawyers advise on contracts, structure transactions, manage disputes, and counsel boards. But how many of us are asking our clients, at the point of engagement, at the point of structuring a company, at the point of signing a technology contract, whether their data governance framework is fit for purpose? Whether their vendor agreements contain adequate data processing clauses? Whether their incident response plan exist and has been tested?
At GITEX Africa 2026 held in Marrakesh, Morocco, NITDA’s Director-General noted that human error causes 95 per cent of digital security breaches, and AI makes those breaches harder to detect. Most of these incidents do not begin with genius-level hacking. They begin with misconfigurations, weak access controls, untrained staff, and systems that were digitised without a corresponding investment in security infrastructure.
That is a governance failure. And governance failures are squarely within the advisory mandate of lawyers.
For businesses, the question is no longer whether you will be targeted. A 2025 report ranked Nigeria third in Sub-Saharan Africa for total data breaches since 2004, with over 23 million compromised accounts. Financial services, public sector platforms, and any organisation holding personal data at scale are prime targets. The cost of a breach – regulatory fines, litigation exposure, reputational damage, loss of investor confidence – will almost always exceed the cost of building proper defences.
For government institutions specifically, the standard cannot be lower than what is demanded of the private sector. If anything, it must be higher. Public institutions hold data that citizens have no choice but to submit. That creates a heightened duty of care and a heightened responsibility to meet it.
Cybersecurity deserves a seat at every board table, every transaction advisory conversation, and every regulatory compliance review.
The breaches will continue. The question is whether organisations, public and private, will get serious about prevention or wait to manage the consequences.
I advise clients on data protection compliance, technology contracts, and the governance frameworks that sit at the intersection of law and digital risk.
Happy to connect with founders, executives, and institutions thinking seriously about these questions.
Kelechukwu Uzoka can be reached via kcuzoka@gmail.com
In this article