Sometime in late March, a threat actor known as ByteToBreach waltzed into Sterling Bank’s systems through a back door the bank already knew was broken and had left unrepaired for three months. The actor spent nine days inside, documented everything he found, and then told the world about it through a post on a criminal forum. Of the breaches that have happened, Sterling Bank said nothing to its customers.

Remita said nothing to its customers. The Corporate Affairs Commission (CAC) issued a statement that described the incident in language so understated it barely resembled what had actually happened. Though, the Nigeria Data Protection Act (NDPA) 2023 does not allow this.

None of them apologised. That is the story, not the hack itself, not the hacker, but the institutional silence that followed, and what that silence reveals about how Nigerian organisations treat the people whose data they hold. To understand what happened across these three breaches, it helps to think of each one as a door that was left open.

Not hidden, not locked, just open. Sterling Bank’s door was a testing server, a pilot environment that developers use to try things before they go live on production systems. It had a known, maximum-severity vulnerability, the kind that cybersecurity teams flag with red alerts and urgent remediation timelines.

The bank was aware of it. The door stayed open for three months anyway. ByteToBreach walked through it and spent nine days documenting everything inside.

Remita’s door was not even Remita’s fault to leave open. ByteToBreach found the keys to its systems sitting inside Sterling Bank’s files. Production credentials, the kind of login details that should live in a secure, access-controlled vault, were stored in plaintext inside a code repository that the actor had already accessed through Sterling Bank.

Think of it this way: the actor broke into one office, found a clearly labelled key to the office next door hanging on the wall, and used it without breaking a sweat. Remita was never the target. It was collateral damage from a decision Sterling Bank made about how to store sensitive information.

The CAC’s door was different in character and far more alarming in consequence. The CAC is not a commercial database holding transaction records. It is the legal ground truth of Nigerian corporate life, the authoritative record of every director, every shareholder, every registered address, every board resolution, every passport and NIN submitted to verify identity.

When the EFCC investigates a fraud, it checks the CAC. When a court disputes the ownership of a company, the answer lives at the CAC. When a bank conducts due diligence on a corporate client, the CAC is where it goes.

This is foundational infrastructure, and ByteToBreach walked into it because the system used sequential integers as staff user IDs. User 4705310. User 4705311.

User 4705312. The actor used a standard security testing tool to count upward through those integers until the system returned a valid login token for user 4705317. No password.

No second authentication factor. No challenge of any kind. A randomly generated ID with billions of possible values would have made this attack computationally impossible.

The CAC used a predictable counting sequence instead, and ByteToBreach’s own annotation on the screenshot he published confirmed exactly how elementary the method was. Once inside, he created a personal account in the back-office system under the username bytetobreach, assigned himself staff ID 666, and proceeded to grant that account 474 administrative roles covering every functional area of the CAC’s administrative portal. So, full access to staff records, company profiles, director and shareholder details, home addresses, dates of birth, passport scans, NIN numbers, and the document approval queue.

There was also a second access path that required no authentication at all: the CAC’s document management system allowed direct file downloads from a public-facing subdomain, with the only barrier being knowledge of the filename. The lock was not a lock. It was the assumption that nobody would guess.

ByteToBreach claims he downloaded approximately 25 million documents totalling 759 gigabytes of data, and confirmed to David Odes (who did a comprehensive analysis of the breaches here), Founder, Web Security Lab, who conducted a direct interview with the actor, that 25 million was actually the initial and conservative count. The true volume of CAC data in his possession, he said, was probably higher. What the CAC said, and what the evidence shows The CAC’s public statement, issued on April 15, described the incident as “unauthorised access to limited aspects of its information systems.” The agency confirmed it is reviewing the incident and working with NITDA, and advised stakeholders to monitor their records, update login credentials, and remain cautious of unsolicited communications. The artefacts ByteToBreach published tell a different