Incidents of data breaches across Nigeria’s public and financial institutions are exposing deep cracks in the country’s data protection framework, a cybersecurity expert, Wale Adewale Edun, has said.

Edun, a senior information security consultant with over three decades of experience in data protection, cybersecurity and corporate governance, warned that weak enforcement of existing laws has left both institutions and individuals vulnerable, despite increasing awareness of digital risks.

Speaking in an interview with The Guardian, he said recent cyberattacks targeting key organisations point to a growing and largely unchecked threat to national security and personal data safety.

“In recent months, there has been a surge in attacks on Nigerian organisations,” he said. “These actors are not just targeting one sector. They are going after government agencies, financial institutions, telecoms companies and private organisations.”

According to him, the limited disclosure of breaches reflects a wider problem within Nigeria’s cybersecurity landscape, which is a lack of transparency and accountability.

“Very few of these breaches are properly reported,” he said. “And when they happen, the public is often left in the dark.”

While cyberattacks are a global challenge, Edun warned that Nigeria’s current situation is particularly concerning because of the scale of data exposure and the country’s weak enforcement mechanisms.

He stressed that the implications go beyond financial loss, extending into national security risks and long-term economic consequences.

“The global environment today shows that access to data is a major tool in modern conflict,” he said. “When sensitive personal and institutional data is exposed, it creates vulnerabilities that go far beyond the individual.”

Personal identifiable information including names, addresses, dates of birth, phone numbers and financial details can be exploited for fraud, identity theft and other forms of cybercrime.

In Nigeria, where digital adoption has grown rapidly across banking, telecommunications and government services, the volume of such data in circulation has increased significantly.

Edun warned that many Nigerians may already be at risk without fully realising it.

“If critical data from institutions is compromised, the damage is not limited to those organisations,” he said. “It affects everyone connected to them.”

Despite the risks, many organisations continue to present themselves as compliant with data protection standards. However, Edun argued that this compliance is superficial.

“There is a difference between being compliant on paper and actually being secure,” he said.

According to him, many organisations treat cybersecurity as a “tick-box exercise”, focusing on obtaining certifications rather than implementing continuous protection measures.

In practice, this means policies and procedures may exist on paper, but are not consistently applied in day-to-day operations.

“An organisation can pass an external audit today and still be breached tomorrow,” he explained. “Certification does not guarantee security.”

He noted that external audits are often scheduled in advance, giving organisations time to prepare and present ideal conditions that may not reflect their usual practices.

“The auditor sees what the organisation wants them to see,” he said. “That does not mean the systems are secure at all times.”

This gap between compliance and actual readiness, according to him, is one of the most critical weaknesses in Nigeria’s cybersecurity framework.

Nigeria already has legal frameworks designed to protect data, including the Nigeria Data Protection Act and oversight by the Nigeria Data Protection Commission.

However, Edun argued that the problem lies not in the absence of laws, but in their enforcement.

“The regulation is there,” he said. “What is missing is enforcement.”

He criticised a pattern of delayed investigations and a lack of visible sanctions against organisations that suffer breaches.

“With the number of incidents we have seen, there should have been clear outcomes by now,” he said. “Investigations should be concluded, findings published and penalties applied where necessary.”

According to him, the absence of consequences has allowed organisations to continue operating without prioritising data protection.

He added that organisations are more likely to take cybersecurity seriously when there are financial implications.

“When businesses know they will face significant penalties, they respond,” he said. “Without that, there is little incentive to change behaviour.”

One of the most troubling aspects of Nigeria’s data protection environment, according to Edun, is the lack of communication following breaches.

Under existing regulations, organisations are expected to notify both regulators and affected users when a breach occurs. However, he said this requirement is rarely enforced in practice.

“Customers are supposed to be informed if their data is compromised,” he said. “But in Nigeria, that almost never happens.”

As Nigeria continues to expand its digital economy, the risks associated with weak data protection are becoming more pronounced.

From banking to business registration and telecommunications, large volumes of sensitive data are being collected and stored daily. Edun warned that without urgent reforms, the country risks undermining both public confidence and investor trust.

“When organisations cannot demonstrate that they can protect data, it raises concerns for anyone looking to do business,” he said.

He added that credibility in the digital space is increasingly tied to how well countries protect information.

“It is not enough to claim compliance,” he said. “What matters is whether systems are truly secure.”

Beyond weak enforcement and superficial compliance, Edun said another critical gap in Nigeria’s cybersecurity landscape lies in the failure to understand the nature of threats facing organisations.

According to him, many institutions focus heavily on external attacks while underestimating risks within their own systems.

He explained that employees with access to sensitive systems can unintentionally expose data through poor practices such as weak password management, mishandling of information or falling victim to phishing attacks. In more severe cases, insiders may deliberately compromise systems for financial gain.

This, he noted, reinforces the need for continuous training and awareness within organisations, rather than a one-off compliance exercise.

“Cybersecurity is not just about technology. It is about people and processes,” he said.

“If the people handling the systems are not properly trained, the system itself becomes vulnerable.”

He added that many Nigerian organisations fail to invest adequately in building internal capacity, often prioritising certification over competence.

In contrast, he said organisations in more advanced markets treat cybersecurity as an ongoing operational priority, integrating it into daily business processes and decision-making.

“In other environments, security is part of the culture,” he said. “It is not something you remember once a year when auditors are coming.”

He pointed to international best practices such as continuous risk assessment, real-time monitoring and incident response planning as areas where Nigerian institutions still lag behind.

According to him, while some organisations adopt global standards such as ISO certifications or industry-specific frameworks, these are often implemented only to meet regulatory or contractual requirements.

“They do what is necessary to get the certificate, especially if it is required to bid for projects,” he said. “But the actual implementation, which is the day-to-day discipline is where the gap is.”

He stressed that effective cybersecurity requires sustained investment, not only in technology but also in skilled personnel.

“Security is not cheap,” he said. “But the cost of not securing your systems is far greater.”

Edun also highlighted the economic implications of Nigeria’s current cybersecurity posture, noting that weak data protection could discourage foreign investment.

According to him, investors increasingly assess data security standards when deciding where to operate, particularly in sectors that rely heavily on digital infrastructure.

“If you are asking investors to bring their business into your environment, they need to be confident that their data will be protected,” he said. “If that confidence is not there, they will look elsewhere.”

He warned that repeated reports of data breaches, coupled with a lack of visible accountability, could damage Nigeria’s credibility in the global digital economy.

However, he noted that the situation also presents an opportunity for growth if addressed properly.

According to him, strengthening cybersecurity across sectors could create significant employment opportunities, particularly for young Nigerians.

“With the number of organisations that need to improve their systems, there is potential to create tens of thousands of jobs in cybersecurity and related fields,” he said.

He explained that every organisation handling sensitive data would require trained professionals to manage risk, monitor systems and respond to incidents.

“This is not just about solving a problem,” he said. “It is also about building capacity and creating an industry.”

Despite the scale of the challenge, Edun maintained that the solution does not lie in creating new laws, but in enforcing existing ones and ensuring organisations take responsibility for protecting data.

He reiterated that regulators must move beyond issuing guidelines to demonstrating visible action.

“What is needed now is not more policy statements,” he said. “It is enforcement.”
He called for faster investigations into reported breaches, clearer communication of findings and the application of sanctions where necessary.

He also emphasised the role of organisational leadership, noting that boards and top management must take greater responsibility for cybersecurity.

“Security should not be left only to IT departments,” he said. “It is a governance issue.”

According to him, decision-makers must demand evidence of effective data protection measures, rather than relying on assurances or documentation.

“The board must ask questions,” he said. “They must want to see proof that systems are secure, not just hear that they are.”

He added that data protection officers within organisations should be empowered to carry out their responsibilities effectively, rather than being treated as a formality.

As digital services continue to expand across sectors, Edun warned that failure to address these structural issues could lead to more frequent and more damaging breaches.

“The risk is increasing every day,” he said. “And the longer we delay action, the more difficult it becomes to manage the consequences.”

For many Nigerians, the scale of data breaches and the complexity of cybersecurity threats can create a sense of helplessness. However, Edun said individuals are not entirely without agency, even within a system that is still evolving.

According to him, one of the biggest gaps in Nigeria’s data protection landscape is not just institutional failure, but public unawareness of rights.

“The average Nigerian does not know that they have rights over their data,” he said. “And if you don’t know your rights, you cannot enforce them.”

He explained that individuals are entitled to ask organisations how their personal information is being collected, used and stored, as well as how long such data will be retained.

“Any time an organisation asks for your information, you have the right to question it,” he said. “What do you need it for? How will you use it? How long will you keep it?”

He noted that in many cases, Nigerians provide sensitive personal details without hesitation, because such requests have become routine across banks, telecommunications firms, government agencies and private businesses.

“That culture needs to change,” he said. “People must begin to ask questions.”

Edun also stressed that individuals have the right to request access to the data organisations hold about them, as well as the right to demand corrections or deletion in certain circumstances.

“If you close an account with an organisation, you should be able to ask what happens to your data,” he said. “These are rights that people need to start exercising.”

Beyond awareness, he advised Nigerians to adopt basic digital safety practices, including the use of strong passwords, regular updates of account credentials and caution when sharing personal information online.

While these measures may not prevent large-scale institutional breaches, he said they can reduce personal exposure and limit the damage in the event of a compromise.

Still, he maintained that the primary responsibility for data protection lies with organisations and regulators, not individuals.

“You cannot shift the burden entirely to the user,” he said. “The systems themselves must be secure.”

Edun returned to his central argument that Nigeria’s challenge is not a lack of frameworks, but a lack of decisive action.

He said the country has reached a point where continued inaction could have far-reaching consequences for its digital future.

“This is a critical moment,” he said. “We have the opportunity to address this problem now, or allow it to grow into something much more difficult to manage.”

He called on regulators to take more visible and decisive steps in enforcing data protection laws, including concluding ongoing investigations and making their findings public.

“People need to see that something is being done,” he said. “Transparency is important, not just for accountability, but for restoring confidence.”

He also reiterated the need for sanctions where organisations are found to have failed in their responsibilities.

“Without consequences, nothing will change,” he said. “There has to be a clear message that data protection is not optional.”

According to him, such actions would not only improve compliance but also strengthen trust in Nigeria’s digital ecosystem.