A Nigerian Bank’s CEO Had His Home & Transactions Exposed—Hacker Says 900,000 Customers Are Next
When an actor known in underground cybercrime groups by the name ByteToBreach wanted to demonstrate how deep they had burrowed into Sterling Bank Plc’s systems recently, they did not pick an anonymous account or a low-level employee. They went straight to the top, exposing sensitive details of Abubakar Suleiman, the bank’s own Managing Director and Chief Executive Officer.
What they pulled back was everything. His bank account number. His Bank Verification Number, the 11-digit identifier that links every Nigerian to every account they hold across the entire banking system. His home address, pulled directly from the bank’s core banking profile. His date of birth. His personal email.
Then came the financials: multiple active secured loans at his own bank, including one with a credit limit of NGN 51 M and an outstanding balance exceeding NGN 205 M. His total loan exposure across all Sterling Bank facilities, totaling more than NGN 290 M. His credit score, compiled from ten separate entries across Nigeria’s credit bureau system.
And finally, the granular detail of his recent transactions. Web purchases from Temu Lagos. OneBank transfers to named individuals. Stamp duty charges from the days immediately before the breach.
To underscore the totality of the intrusion, the hacker used the CEO’s home address to locate his residence on Google Street View, capturing a screenshot with a Lagos police car visible in the frame. The caption posted alongside the image read: “Home sweet home!”
The point, according to the materials published by ByteToBreach, was not to single out Suleiman, but to demonstrate that if the chief executive’s data was laid bare in its entirety, then so too was the data of every single customer at Sterling Bank.
“The Temenos integration did not distinguish between the CEO and a market trader in Enugu with a savings account,” the published materials stated. “The access was total.”
A Breach That Crawled From One System to Another
The Sterling Bank breach, first claimed by ByteToBreach in dark web forum posts on March 27, 2026, did not stop at one institution. According to findings by cybersecurity experts, once inside the systems of Sterling Bank, a prominent lender, they pivoted laterally and gained access to Remita, the payment platform that processes government salaries, tax payments, and a significant portion of Nigeria’s public-sector financial transactions.
The combined haul, the hacker claims, amounts to roughly three terabytes of data extracted from a misconfigured Amazon cloud storage bucket. The contents include over 800 gigabytes of Know Your Customer documents, such as passports, driver’s licences, national ID cards, utility bills, alongside databases, transaction logs, internal source code, API keys, and password hashes.
For Sterling Bank, specifically, the alleged exposure includes approximately 900,000 customer accounts and more than 3,000 employee records, complete with names, roles, branch locations, and contact information. The employee data alone creates a secondary vulnerability as criminals armed with internal staff details can launch highly targeted phishing attacks against bank personnel, potentially opening new doors into the institution’s systems.
ByteToBreach’s posts also named more than 30 additional Nigerian entities as potential targets, including Zenith Bank, the Oyo State Government, insurance firm Leadway Assurance, fintech company GetBumpa, and Ahmadu Bello University Zaria. None of these organisations has confirmed or denied the claims.
What Makes This Breach Different, and Worse
The Sterling Bank incident is especially alarming for the specific combination of data points allegedly stolen, which together form what security researchers call a “complete financial identity package” for each affected customer.
The Bank Verification Number is particularly dangerous. Because it is the universal biometric identifier that links an individual to every bank account they hold across Nigeria’s entire financial system, a compromised BVN enables fraud that can cascade across multiple institutions simultaneously.
When paired with NUBAN account numbers, transaction histories, loan records, and physical identity documents, the data gives criminals everything they need to impersonate customers with precision.
A fraudster armed with this information could call a Sterling Bank customer, recite their exact outstanding loan balance and last three transactions, and convincingly demand a one-time password. This, as it turns out, is not only possible but a documented playbook of Nigerian financial cybercrime.
Who Is Behind This?
ByteToBreach is not an amateur. Intelligence researchers at KELA Cyber, a global threat intelligence firm, have tracked this actor since at least June 2025 and documented a sophisticated, cross-platform criminal operation spanning multiple continents and industries.
The actor’s previous confirmed targets include Uzbekistan Airways (passenger data that included records of U.S. government employees), Seychelles Commercial Bank (customer banking data and attempted extortion), and Viking Line (traveller payment transaction records). Targets have also been identified in Ukraine, Kazakhstan, Cyprus, Poland, Chile, and the United States.
The hacker’s method, according to threat intelligence reports, is to exploit weaknesses in cloud infrastructure, harvest login credentials from malware-infected devices, and conduct large-scale data theft for sale on criminal marketplaces. Several of ByteToBreach’s past claims have been independently verified.
The Silence From Lagos
As of this writing, Sterling Bank has yet to issue a public statement confirming or denying the breach. Remita, in a communication to banking partners, acknowledged an “incident” but described it as “limited to unauthorised access to certain non-financial data” with “no impact on payment systems or transactions”.
The company asked partners to regenerate API credentials and update integrations, a tacit acknowledgement that something went wrong, even as it insisted its core infrastructure remains secure.
Nigeria’s banking regulators have been similarly quiet. The Central Bank of Nigeria has made no public comment on the claims.
The Nigeria Data Protection Commission, however, has moved. On April 1, 2026, the regulator served formal notices of investigation on both Remita and Sterling Bank.
The inquiry, according to a statement from the commission’s head of legal, enforcement and regulations, Babatunde Bamigboye, will assess “the types of personal data involved, the nature and scope of the alleged breach, the risk to data subjects, and the mitigation measures taken where a breach is confirmed.”
Under the Nigeria Data Protection Act 2023, organisations found to have violated data protection requirements face penalties of up to NGN 10 M or 2% of their annual gross revenue, whichever is higher.
A Crisis of Trust in Nigeria’s Digital Banking Boom
The breach arrives at an awkward moment for Nigeria’s financial sector. The country has been aggressively pushing digital payments and financial inclusion, with millions of Nigerians now conducting their daily transactions through mobile apps and online platforms. Trust in that digital infrastructure, which is the foundation on which the entire system rests, now comes under threat.
Nigeria already ranks third in Sub-Saharan Africa for total data breaches since 2004, with 23.2 million compromised accounts, according to a 2025 report from cybersecurity firm Surfshark. Electronic fraud losses in the banking sector have surged past NGN 1 T annually. The Central Bank has been under pressure to upgrade its decade-old authentication standards from two-factor to three-factor verification.
The Sterling Bank case, if confirmed, would represent a new order of magnitude, especially because of the symbolic weight of seeing a bank CEO’s entire financial life exposed alongside 900,000 of his own customers.
For Suleiman, the breach is personal in ways that extend far beyond his role as chief executive. His home address is now in the hands of unknown actors. His transaction history—who he pays, how he spends, where he shops—is no longer private. His loan exposures, credit score, and banking behaviour are available to anyone willing to pay the right price on an underground forum.
For the 900,000 customers whose data may have been swept up alongside his, it’s anything but reassuring that the man running the bank could not be protected by its security systems. “If that could happen to the CEO, what chance did anyone else have?” lingers as a troubling question.
What Comes Next
The NDPC investigation is expected to take weeks, if not months. In the meantime, cybersecurity experts have advised Sterling Bank and Remita customers to monitor their accounts vigilantly, enable two-factor authentication on all financial applications, and treat any unsolicited phone calls or messages requesting personal information with extreme suspicion.
The broader question of whether Nigeria’s financial institutions are adequately secured against a global threat landscape that has become increasingly hostile is unlikely to be answered by any single investigation. But the image of a bank CEO’s home, pulled from his own employer’s systems and displayed on the internet with a police car in the frame, will linger long after this particular breach fades from the headlines.
It is, as the hacker put it, home sweet home; except it is not sweet, and it is no longer secure.
