A suspected cyberattack on Remita, a major Nigerian payment processing platform operated by SystemSpecs, has raised serious concerns over data security after a dark web actor known as ByteToBreach claimed responsibility for the breach.
According to findings by the Foundation for Investigative Journalism (FIJ), the hacker published what appear to be Know-Your-Customer (KYC) documents, identity records, database folders, SQL files and user hash information linked to cloud storage services.
FIJ reported that several of the exposed folders and repositories remained publicly accessible as of press time, with some files containing data structures consistent with a Remita-related database environment. The leaked materials reportedly include identity documents belonging to multiple Nigerians.
Hacker With Established Track Record
Cybersecurity analysts describe ByteToBreach as an active figure in underground cybercrime networks since at least 2025. The actor has reportedly used platforms such as Telegram, Signal and Pastebin to distribute stolen data and make extortion demands.
Threat intelligence firms including KELA and SOCRadar have previously profiled the hacker as a persistent data leak operator targeting banks, telecoms firms and government institutions.
While some of the hacker’s past claims have been verified — including a breach involving Eurofiber — experts caution that not all claims have been independently confirmed, noting a pattern of self-promotion and exaggeration.
Why Remita Is a Critical Target
The potential breach has drawn heightened attention due to Remita’s central role in Nigeria’s financial infrastructure. The platform is widely used for processing government payments under the Treasury Single Account (TSA) framework implemented in 2015.
Through this system, Remita facilitates transactions such as tax payments, government fees, university tuition, and payroll processing for federal workers. Its integration with public financial systems means it may process highly sensitive data, including salary records, tax details, bank account information and transaction histories.
Nature of the Exposed Data
FIJ’s investigation indicates that the leaked data may include:
- KYC documents such as passports and identity cards
- Database structures and SQL files
- Payment and transaction records
- User password hashes
Security experts note that such data, if authentic, could enable identity theft, financial fraud and targeted phishing attacks. Password hashes, while encrypted, may be vulnerable to cracking if weak encryption standards were used.
Legal and Regulatory Implications
Under the Nigeria Data Protection Act 2023, organisations handling personal data are required to implement robust safeguards, including encryption, access controls and regular security assessments.
In the event of a breach, Section 40 of the law mandates that affected organisations notify the Nigeria Data Protection Commission within 72 hours where there is a risk to individuals’ rights and freedoms. Affected data subjects must also be informed where there is a high risk of harm, such as identity theft or financial loss.
No Official Response Yet
As of press time, neither Remita nor the Nigeria Data Protection Commission had issued any public statement confirming or addressing the alleged breach.
FIJ reported that attempts to reach Remita were unsuccessful, while an official of the NDPC directed inquiries to email correspondence without providing substantive comments.
Compliance Questions Emerge
FIJ also noted that Remita is classified by the NDPC as a data processor of major importance at an ultra-high level, a designation reserved for organisations handling large volumes of sensitive personal data.
Despite this classification, FIJ found no publicly available privacy policy on the website of SystemSpecs, raising further questions about transparency and compliance with Nigerian data protection requirements.
Related Developments
On the same day the breach was announced, the Central Bank of Nigeria directed banks to complete cybersecurity self-assessments within three weeks. Although no official link has been established, the timing has drawn attention within the financial sector.
Separately, reports indicate that Remita has moved to reset certain API keys, though the company has not publicly connected this action to the alleged breach.