There is growing outrage in the banking space as customers of Sterling Bank grapple with what may go down as one of the most disturbing data security scares in recent times, a breach that has reportedly left highly sensitive personal and financial information dangerously exposed.
At the center of the storm is a shadowy but increasingly notorious dark web actor known as ByteToBreach, who has claimed responsibility for infiltrating the Sterling Bank systems and gaining access to an alarming volume of customer and employee data.
Sensitive Data Allegedly in the Wrong Hands
According to findings by ENigeria Newspaper, the hacker claims to have accessed data linked to nearly one million customer accounts, alongside over 3,000 employee records, including details tied to the highest levels of the bank’s leadership.
The alleged compromised data is deeply sensitive and includes: Bank Verification Numbers (BVN), NUBAN account numbers, Passport and driver’s license details, Transaction histories, Loan records and credit scores, Internal employee data up to executive level, etc.
For many customers, this is not just a technical issue, it is a personal security nightmare in a country already grappling with kidnapping and financial fraud.
Sterling Bank Customers Panic Over Safety Risks
The fallout has been immediate and intense.
In fact, panicked Sterling Bank customers who are currently apprehensive that their personal data could fall into the hands of criminal networks, are reportedly considering shutting down their accounts en masse, according to recent observation. The concern may seem simple on the surface, but indeed frightening, and in an era where kidnappers and fraudsters rely heavily on insider information, this kind of breach could have real-world consequences beyond financial loss.
“This is no longer about banking convenience, this is about safety,” one concerned customer told ENigeria Newspaper on Saturday in Lagos.
Alleged Technical Failure Raises Serious Questions About Sterling Bank Digital Infrastructure
Details emerging from the breach suggest a deep-rooted vulnerability in the bank’s digital infrastructure.
ENigeria Newspaper reports that the attack reportedly exploited a flaw in Oracle WebLogic Server, a critical middleware that connects public-facing applications to private databases. By bypassing authentication layers, the attackers were able to extract approximately 2.2GB of sensitive data, including Personally Identifiable Information (PII) of over 900,000 customers.
Cybersecurity experts warn that such data is highly valuable for advanced fraud tactics like “social engineering 2.0”, where criminals use real customer data to convincingly manipulate victims into revealing one-time passwords (OTP) and other critical credentials.
Is Sterling Bank A Distracted Bank?
Industry watchers say the incident paints a troubling picture of misplaced priorities by the leadership of the bank.
Under the leadership of CEO, Abubakar Suleiman, Sterling Bank is now facing criticism that it may have failed to invest adequately in critical cybersecurity infrastructure, while allegedly focusing on less essential pursuits.
“This is what happens when institutions chase optics instead of operational resilience,” a financial analyst noted. “In modern banking, data security is not optional, it is foundational.”
Federal Government Investigates Sterling Bank Over Data Breach
The gravity of the situation has triggered regulatory intervention.
The Nigeria Data Protection Commission has officially launched an investigation into the alleged breach, extending its probe to include both Sterling Bank and Remita Payment Services Ltd., a key player in Nigeria’s digital payment ecosystem.
According to the Commission, a Notice of Investigation was issued on April 1, 2026, with relevant parties already undergoing questioning.
Dr. Vincent Olatunji, National Commissioner and CEO of the NDPC, has directed that the probe be widened, warning that any organization found to have failed in implementing required data protection measures under the Nigeria Data Protection Act (2023) will face severe consequences.
Crisis of Confidence
For Sterling Bank, the implications go beyond regulatory scrutiny.
This incident threatens to erode customer trust which is the very foundation upon which banking institutions survive. In an industry where confidence is currency, even the perception of vulnerability can trigger long-term reputational damage.
The situation also raises a broader question about the state of cybersecurity preparedness within Nigeria’s financial system, especially as digital banking adoption continues to surge.
ENigeria Newspaper reports that while investigations are ongoing, one thing is clear: the alleged breach has exposed not just data, but potential systemic weaknesses in how sensitive financial information is protected.
For customers, the fear is immediate and personal, while, for regulators, the stakes are institutional, but for Sterling Bank, this moment could define its credibility for years to come.
If the allegations are confirmed, then, this could mean more than just a data breach, but a total failure of trust, oversight, and technological responsibility.
In today’s digital economy, where data is as valuable as money itself, any institution that fails to protect it risks not just financial loss, but total collapse of public confidence.
And right now, for many Nigerians, the question is no longer if their data is safe, but who already has it.
