A fresh alleged data breach has emerged in Nigeria’s financial sector, targeting Fast Credit Finance Company Limited (fastcredit-ng.com), a microfinance and lending institution licensed and regulated by the Central Bank of Nigeria (CBN).
The claim surfaced publicly around April 25, 2026, through threat intelligence accounts on X (formerly Twitter). The post from Dark Web Informer included a direct shout-out to the threat actor known as iProfessor, describing the incident as one of the biggest hacks in Nigeria’s financial sector.
According to the announcement, the actor is offering approximately 870 GB of data containing 939,887 records for sale on a popular cybercrime forum, limited to just five buyers.
The alleged stolen data includes highly sensitive customer information such as personal identifiable information (PII), government-issued ID scans, loan and credit transaction records, bank statements, customer correspondence, contractual agreements, next-of-kin details, personal photographs and selfies, and other confidential records.
The actor specifically highlighted that a notable portion involves Nigerian police officers and law enforcement personnel, raising serious concerns about potential doxxing, targeted scams, blackmail, or risks to officer safety and ongoing investigations.
Screenshots shared appear to show sample loan documents and internal records, but the breach remains unverified and alleged.
As of April 26, 2026, no official confirmation or denial has come from Fast Credit, the CBN, or the Nigeria Data Protection Commission (NDPC).
This latest claim adds to a worrying wave of alleged cyber breaches hitting both financial institutions and government agencies in early-to-mid 2026.
The pattern includes high-profile incidents at the Corporate Affairs Commission (CAC), Remita payment platform, Sterling Bank, Economic and Financial Crimes Commission (EFCC), Lagos State University (LASU), and others.
A surge of attacks across critical systems
In the CAC breach, claimed by the group ByteToBreach, around 25 million files (about 750 GB) were allegedly exfiltrated. The CAC serves as Nigeria’s central registry for companies, holding vital data on ownership structures, directors, and beneficial ownership records essential for transparency and anti-money laundering reforms. The group posted detailed proof screenshots, including one labelled “GOV_BETRAYAL”.
The CAC temporarily shut down its registration portal, and the incident has raised fears that fraudsters could now more easily create shell companies or undermine due diligence by banks and investigators.
ByteToBreach also claimed responsibility for attacks on Sterling Bank (affecting customer accounts and staff records, including BVNs and NINs) and Remita, which handles government salaries, taxes, and payments.
On the law enforcement side, a threat actor linked to Nullsec Nigeria (using the alias “ki4t”) claimed a breach of the EFCC around April 21, 2026. The alleged leaked data reportedly includes agent names, phone numbers, operational code names, and password hashes, potentially compromising operatives and investigations.
Other targets in the recent wave include Lagos State University (LASU) and the Federal Housing Authority, showing that both public sector and educational institutions are under pressure alongside financial ones.
Financial and lending targets like Fast Credit are particularly attractive because loan data, IDs, bank statements, and personal photos hold high value for fraud, identity theft, and resale on the dark web.
NDPC response and regulatory actions
The Nigeria Data Protection Commission (NDPC) has publicly acknowledged coordinated threat activity against financial systems and critical digital infrastructure.
It has launched investigations into several of these incidents, including the CAC breach.
Vincent Olatunji, national commissioner and chief executive officer of the NDPC, has directed the commission’s technical team to engage relevant authorities. The NDPC is examining access control mechanisms, data privacy impact assessments, vulnerability assessment and penetration testing (VAPT), and due diligence on third-party processors.
The commission has issued a strong advisory to all government agencies and companies, urging them to appoint trained data protection officers, enforce multi-factor authentication (MFA), update software regularly, conduct security tests, encrypt sensitive data, and maintain proper backups.
It warns that weak security puts every Nigerian’s privacy at risk and could lead to regulatory fines.
Broader implications and concerns
If the Fast Credit claim is confirmed, the risks include widespread identity theft, financial fraud, blackmail, and potential compromise of law enforcement-linked customers.
Similar concerns arose from the alleged EFCC breach regarding operative safety. These incidents, if confirmed, expose systemic weaknesses in Nigeria’s digital infrastructure, such as legacy systems, unpatched vulnerabilities, misconfigured cloud storage, weak passwords, and insufficient staff training.
Nigeria faces thousands of cyberattacks weekly, and cybercrime has cost the country billions of dollars in recent years.
With the 2027 general elections approaching, experts worry that critical systems like those at the Independent National Electoral Commission (INEC) could also become targets.
For now, the Fast Credit incident stays in the alleged category, as is common with dark web claims where actors post samples to attract buyers. Full validation would require official acknowledgment or forensic analysis.
The NDPC continues to monitor developments and calls on all organisations to treat cybersecurity as a national priority.
Ordinary citizens and businesses are advised to change passwords, enable two-factor authentication, and stay vigilant against scams that may exploit leaked data.
This growing wave of breaches, from the CAC and EFCC to banks like Sterling and lenders like Fast Credit, serves as a stark reminder that Nigeria’s fast-expanding digital economy remains highly vulnerable.
As security experts have noted in recent incidents, information is power, and too much of it currently appears to be in the hands of hackers.
Join BusinessDay whatsapp Channel, to stay up to date
Open In Whatsapp
