By Olumide Babalola, PhD
![](https://thenigerialawyer.com/wp-content/uploads/2024/11/TheNigerialawyer-WhatsApp-Channel1.jpg")
Let me start by admitting that while personal data breaches are almost inevitable, their occurrences should not, however, be ignored without consequences or implications. While preparing this article, I discovered that in the first quarter of 2026, Nigeria ranked the 34th most breached country in the World (see The Guardian, May 6, 2026. Nigeria records 281,500 leaked accounts in Q1).
Since 2019, Nigeria and Nigerians have experienced a series of scary data breaches and cybersecurity incidents across the public and private divide. In 2019, the Lagos Internal Revenue Service (LIRS) suffered a breach that exposed the personal data of thousands, if not millions, of taxpayers through its web portal, resulting in a rumoured fine of ₦1 million by the National Information Technology Development Agency (NITDA). In 2020, MoMo Payment Service Bank experienced a breach shortly after its launch, followed in 2021 by a ransomware attack on Bet9ja, attributed to the BlackCat ransomware group, and a major data exposure involving PLASCHEMA, where approximately 45GB of sensitive personal data affecting around 37,000 Nigerians were left unsecured in cloud storage.
In 2024, reports emerged that sensitive Nigerian citizens’ data were being sold online for as little as ₦100, underscoring the growing black market for personal information. During this period, the Nigeria Data Protection Commission (NDPC) reportedly initiated investigations into over 1,300 organisations for data protection compliance failures, but with no published outcomes. Enforcement actions included a penalty against Fidelity Bank for unlawful data processing practices, as well as a high-profile $220 million fine imposed on Meta Platforms over the mishandling of Nigerian user data across its platforms but these actions have not culminated in tangible results for the government or citizens.
Between 2025 and 2026, Nigerians have faced an escalation in both the frequency and severity of cyber incidents, particularly affecting critical institutions. Reported breaches have involved major entities such as Remita, Sterling Bank, the Corporate Affairs Commission, and the National Bureau of Statistics. In 2026, the Chartered Institute of Bankers of Nigeria was reportedly affected by a significant breach involving an alleged 250GB data leak. Earlier, in 2025, Princeps Credit Systems suffered a ransomware attack linked to the KillSec group. These incidents are occurring alongside ongoing ransomware campaigns actively targeting government agencies and financial institutions, indicating a sustained and evolving threat landscape across Nigeria’s digital ecosystem.
The Aftermath of Data Breaches in Nigeria: A Story of Silence and Resignation
When news of a data breach breaks in Nigeria, whether it is a government agency database, a bank’s job portal, or a betting platform, the pattern is predictable and ritualistic. A headline flashes. A regulator mumbles words like “investigating” or “taking necessary steps.” Then, nothing. The noise fades. Life goes on. And that’s precisely the problem. Here, let’s analyse what actually happens, or rather, what doesn’t happen, after a personal data breach, from three angles: the regulator, the breached entity, and the ordinary Nigerian whose personal information life has just been quietly ransacked.
From the Regulator’s Desk, we’ve heard it so many times and it has now almost become an automated announcement on “investigation.” Admittedly, they have fined a couple of organisations, but where are the reports and eventual enforcement outcomes? Instead, the public is left with vague statements and the quiet feeling that an “investigation” is often just a polite way of saying, “We’ve noted your concern, please move along.”
Compared to the scale of breaches affecting millions of Nigerians, the response looks less like regulation and more like routine. What the public desperately needs is timely, public conclusions of investigations, announced sanctions for violators (not shrouded in confidentiality), clear timelines for compliance fixes and transparency reports that show citizens someone is actually watching. Without these, the regulator risks becoming a bystander with a notepad, not a shield.
From the Breached Entity. When a Nigerian bank, a telecom, a government contractor, or a fintech app gets breached, what do they do? Ideally, customers ought to receive an email within hours or days expressing regret and showing empathy while informing them of what happened, what the entity is doing, and protective measures yourself. In Nigeria? No SMS. No email. No push notification. No apology. No clear explanation of what data was taken (your name? email address” telephone number? Your NIN? Your BVN? Your mother’s maiden name? Your transaction history? Your address? Your password in plain text?
Instead, customers find out from a random tech blog, tweet or WhatsApp broadcast. And if the company chooses, they may issue a half-hearted statement to the press that’s full of corporate speak. What’s worse, many breached entities simply hope customers never notice. They hope the news cycle moves on. They hope you won’t ask questions. And because most Nigerians don’t have the tools or time to verify a breach themselves, the strategy often works. Somehow, they manage to have these hopes actualised, as Nigerians have also quickly moved on in the past. Just like they say: “We Meove”!
For the Data Subject (You, Me, the everyday Nigerian), we see the most puzzling piece of the puzzle, i.e. the customers themselves. By all logic, if millions of Nigerians had their NINs, bank details, passports photographs, and addresses leaked online, we should ordinarily see reactions like, barrage of complaints or petitions to regulators and consumer protection agencies, class action lawsuits (or at least small claims) against negligent companies, open letters from civil society, students, lawyers, and tech groups demanding accountability, petitions to the National Assembly or media campaigns and public shaming.
Surprisingly, we don’t or hardly ever see these kinds of reactions. It feels like most Nigerians have no idea what a personal data breach really means, or they don’t care. They don’t know that leaked passwords can be used for “credential stuffing” to break into their email, social media, or even their bank account six months later. They don’t know that a leaked NIN combined with a phone number can enable SIM swap fraud. To the average Nigerian, “data breach” is abstract and technical. Unless money vanishes from their account tomorrow, and they might not even connect that to a breach from last year, they don’t feel the urgency.
Many studies have shown that most Nigerians are usually numb to privacy violations as an after-effect of years of unsolicited spam calls, messages from “unknown” numbers knowing your exact name, scam emails that mention your address, and the general feeling that your information is floating somewhere in the cloud, people just shrug with a sense of vulnerability. This should not, however, be attributed to laziness but ‘informed’ helplessness. When they have never seen a company truly punished, never received a real apology, never seen a regulator publicly shame a violator, why would Nigerians believe that speaking up will change anything?
Many of the entities that lose our data are powerful ones (the banks, government agencies, big corporations). The average Nigerian knows that complaining to a bank about a breach might get their account flagged, or their loan request quietly denied next time. There’s a quiet fear: “If I cause trouble, they will find a way to punish me.” And let’s not forget, litigation in Nigeria is expensive, slow, and uncertain. A class action lawsuit sounds great in theory, but who funds it? How many has succeeded in the past? Who has the stamina to chase a case for years? In a country where most people are just trying to survive daily life, fighting a data breach feels like a luxury.
There is also the issue of (in)tangible loss. Many Nigerians have not felt the direct sting of a personal data breach yet. But the danger is delayed. That’s the cruel trick of data breaches. The stolen data sits on dark web marketplaces for months or years. It gets sold, resold, bundled with other breaches, and used long after the victims have forgotten the incident ever happened.
Conclusion
When one looks at the turn of events around persona data breaches in Nigeria, it becomes hard to ignore an uncomfortable truth that as a society, we might say we value privacy, but our actions tell a very different story. Maybe, deep down, many Nigerians have concluded that privacy is a luxury we cannot afford or a battle not worth fighting. Understandably, when one is worried about poverty, rising cost of food and necessities, stressing over who has one’s phone number feels secondary.
Regardless of this explainable privacy apathy, the collective snub of personal data breaches comes with consequences. Data breaches fuel fraud, frauds erode trust and a society that does not demand privacy protections rarely gets them. If we truly want change in this regard, it will not come from a law or a regulation alone. It will come from a shift in how we, as Nigerians, value our own information and from showing a little less patience the next time our personal data ends up where it should not be. Until then, judging by our routine silence to data breaches, one may conclude that maybe we do not really care about privacy or maybe we care, but not enough to do anything about it. And in practice, that is the same thing.
[A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
Available now for NGN 40,000 at ASC Publications, 10, Boyle Street, Onikan, Lagos. Beside High Court, TBS. Email publications@ayindesanni.com or WhatsApp +2347056667384. Purchase Link: https://paystack.com/buy/evidence-act-complete-annotation
______________________________________________________________________
ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE
Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd
Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria.
Bonus:
Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.
How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com
Ebook Version: Access directly online at: https://selar.com/prv626
______________________________________________________________________ “Bridging Theory And Courtroom Practice” — Hagler Sunny Okorie, Nathaniel Ngozi Ikeocha Unveil ‘Functional’ Tort Law Book For Nigerian Legal System
The book, titled The Law of Torts in Nigeria: A Functional Approach, authored by Professor Hagler Sunny Okorie Ph.D and Ikeocha, Nathaniel Ngozi Esq, offers law students, practitioners, and academics a comprehensive guide to understanding and applying tort law in Nigerian courts. Interested buyers can place orders via the following contact numbers: 08028636615, 08037667945, 08032253813, or +234 902 196 2209.
______________________________________________________________________
“Enhance Legal Practice With Authoritative Reports” — Alexander Payne Offers Comprehensive Law Reports, Spanning Over A Century Of Nigerian Jurisprudence
Interested buyers are encouraged to place their orders and enquiries via:
0704 444 4777, 0704 444 4999, 0818 199 9888
Website: www.alexandernigeria.com
