From ATMs to Apps: Data protection, safeguards still the missing link

Nigeria’s digital journey, from ATM transactions to app-based fintech services, represents a remarkable leap. But the progress still rests on a fragile foundation of data protection. While the Nigeria Data Protection Act 2023 marked a significant legislative milestone, implementation is largely constrained by weak enforcement, institutional capacity gaps and inadequate infrastructure, ADEYEMI ADEPETUN reports.

On a chilly January morning in 2025, Ifeanyi Chukwu watched helplessly as his father’s life suffered a major setback after a trip to a commercial bank in Lagos. What began as a routine withdrawal ended in heartbreak. His father went to withdraw money from the ATM, but his card got stuck in the machine. Several attempts at retrieving it from the terminal failed.

Unfortunately for him, while he went to the banking hall to report the incident, the ATM eventually came out and landed in the hand of a fraudster posing as a fellow customer, who had already got hold of the PIN, while showing sympathy.

Within minutes, N1.4 million vanished through a distant point of sale (PoS) terminal. Debit alerts buzzed on Chukwu’s father’s phone while inside the bank seeking help. The shock was so severe that his mother suffered a stroke when she heard of what happened. She never recovered!

For Chukwu, the tragedy was not just about stolen money. It was about trust. Trust in a system that promised convenience but delivered vulnerability. His family’s ordeal is one of countless stories that illustrate the human cost of Nigeria’s digital banking revolution.

Months earlier in Lagos, 27-year-old software engineer, Tunde Adekunle, faced a different kind of nightmare. Adekunle, a mid-level cloud engineer with a stable salary, applied for a vehicle loan from a tier-1 commercial bank. He submitted his pay slips, employment letters and Bank Verification Number (BVN). Days later, the bank rejected his application, citing a severe “non-performing loan” in his record.

Adekunle was stunned. He had never defaulted on a loan. The culprit was a quick-lending fintech app he had downloaded out of curiosity. The app harvested his contacts, photos and SMS history. After he repaid a N15,000 loan he took, he said, the app disbursed another N25,000 without his consent, slapped on a predatory 90 per cent interest rate, and reported him as a toxic defaulter when he refused to pay.

The app then weaponised his contact list, sending defamatory messages to his colleagues and managers, labelling him a “corporate fraudster”. His reputation was shredded; his career was threatened.

Adekunle’s story underscores a disturbing reality: in Nigeria’s digital economy, convenience often comes at the cost of privacy, dignity, and opportunity.

A nation on edge
ACROSS the country, Nigerians are increasingly anxious about data breaches. Identity theft, where personal data is exploited for financial gain, has become rampant. Fraudsters exploit loopholes in ATMs, mobile apps, Internet banking platforms, and identity management.

For instance, ATMs are targeted through card skimming and unauthorised withdrawals. Mobile apps and USSD codes are exploited via SIM swaps, fake apps, and phishing.

Internet banking faces malware and credential theft, with social engineering as the dominant attack vector. Here, there have been cases where attackers, knowing that a user ID and password aren’t enough to move money out of a bank account, immediately transition to a live phone call.

A smooth-talking fraudster calls the victim, pretending to be a “Customer Care Representative” from their bank. They use local banking jargon, confirm the victim’s full name (often pulled from Truecaller or leaked databases), and state they are calling to help finish the “unblocking process.”

While on the phone, the attacker logs into the real Internet banking portal using the stolen credentials, triggering the bank’s automated system to send a one-time password (OTP) or a soft-token prompt to the victim’s phone.

The caller tells the victim, “An activation code has just been sent to your phone by our system. Please read it out to me so I can finalise the unblocking.” From there, if the victim falls for the bait, his account is wiped.

The Nigeria Inter-Bank Settlement System (NIBSS) reported that in 2024, N400 million in fraud proceeds was channelled through accounts opened with stolen identities. A global identity fraud report by Sumsub ranked Nigeria highest in Africa, with a fraud rate of 5.91 per cent. Nigeria is followed by Algeria, Tanzania, Madagascar and Chad. All the African countries in the top 10 more than doubled their fraud rates during the year.

Experts further said there are social costs attached to privacy violations. For instance, when private information such as health records, location history, or communication metadata is exposed, individuals can experience reputational damage, discrimination or unwanted intrusion into their private lives.

Checks showed that data-driven behavioural profiling by some platforms has also led to targeted marketing or even exclusion from opportunities without individuals’ clear understanding or consent. These harms disproportionately affect those with lower awareness of digital rights and fewer resources to remedy breaches.

From plastic cards to digital wallets: what changes?
IN the early 2000s, the ATM was king. Nigerians carried plastic cards, memorised four-digit PINs, and trusted that their financial footprint was limited to withdrawals and balances. Data exposure was minimal. One’s card number and PIN were the only keys, and banks largely controlled the vault of information.

Then came mobile money! Suddenly, a phone number became more than a contact; it was a financial identity. Sending and receiving funds through USSD codes or SMS brought convenience, but also new vulnerabilities. Fraudsters no longer needed a user’s card; they only needed access to the SIM. The regulator’s challenge shifted: protecting millions of phone-linked wallets in a country with recurrent cases of SIM swaps and identity theft.

The app era transformed the landscape yet again. Fintechs exploded, linking Bank Verification Numbers (BVN) and National Identification Numbers (NIN) to digital wallets. Biometrics, spending patterns, and even location data entered the mix.

Apps promised seamless payments, but they also harvested unprecedented amounts of personal information. The question became: did Nigeria’s data protection laws keep pace? The Nigeria Data Protection Regulation (NDPR) of 2023 was a bold step, but enforcement lagged behind innovation. Startups raced ahead, while regulators struggled to monitor how apps stored, shared, and monetised sensitive data.

From ATM cards to mobile wallets to fintech apps, Nigeria’s financial evolution has been rapid. Industry analysts believe that the story of data protection is one of catch-up, always chasing the next wave of technology, striving to balance innovation with the fundamental right to privacy.

Unending high-profile breaches
NIGERIA has witnessed several high-profile data privacy violations in recent years, ranging from corporate mishandling of user information to government-related breaches.

Surfshark, a cybersecurity firm, said 10 per cent of Nigerians have been affected by a data breach. The report indicates that Nigeria recorded more than 566,300 breached accounts in 2025, ranking Nigeria among the most affected countries in sub-Saharan Africa.

Amid this, there have been Loan Shark harassments, which came slightly under control through the intervention of the Federal Competition & Consumer Protection Commission (FCCPC). These incidents highlighted weak enforcement, poor security practices, and growing public concern over digital rights and monitoring by Nigeria’s data regulator.

The NDPC accused Meta of violating the Nigeria Data Protection Act (NDPA) 2023 by collecting data from over 60 million Nigerian users without explicit consent, engaging in unauthorised cross-border transfers, and using algorithms that exposed users to financial and health risks. A $32.8 million fine was initially imposed in 2025 but controversially dropped in 2026 after a confidential settlement, raising questions about enforcement credibility.

In 2003, over N2.9 billion was moved through unauthorised transactions linked to insider exploitation of workflow vulnerabilities at a fintech unicorn. While the unicorn denied a traditional “breach,” court filings revealed lapses in internal controls and data handling, undermining trust in Nigeria’s fintech sector.

Sensitive personal data from Nigeria’s national identity database (NIMC) was exposed due to weak API security. This incident highlighted risks in government systems and the potential misuse of citizens’ biometric and demographic information.

Specifically, in March 2024, NIMC relied on private partners who illegally sub-leased their credentials to black-market entities. Due to unsecured APIs lacking proper protection or authorisation tracking, unauthorised websites bypassed security layers. Consequently, millions of Nigerians’ sensitive data—including NINs, BVNs, demographic profiles, and biometric photographs- were openly sold online for as little as N70.

There were cases of data breaches against Remita and Sterling Bank. While that was yet to cool off, the hackers attacked the Corporate Affairs Commission (CAC), breaching the system.

In May 2026, Nollywood actor, Emeka Ike’s voter registration data was allegedly leaked from INEC’s restricted portal and shared online by an aide to the FCT Minister, Lere Olayinka. After much public outcry, the NDPC launched an urgent probe, while Ike filed a N10 billion lawsuit against INEC and Olayinka, citing violation of his privacy rights. INEC denied a cyberattack, attributing the incident to misuse of internal credentials. The country awaits the outcome of the Dr Vincent Olatunji-led NDPC’s findings, almost about three months now.

Importance of robust digital public infrastructure
SPEAKING with The Guardian, a DPI expert and Data Processing Officer, Bola Adepegba, explained that when Nigerians queue at ATMs or tap their phones to make payments, they are engaging with fragments of what should be a robust Digital Public Infrastructure (DPI).

Yet, according to her, the question remains: are these fragments enough to protect citizens in a digital economy that is expanding faster than the safeguards around it?

She said DPI is meant to be the invisible backbone of modern life: digital identity systems, interoperable payment rails, and secure data exchanges that make everyday transactions seamless and safe.

“In Nigeria, however, this backbone is only partially formed. The NIBSS has enabled interoperability across banks and apps, and the NIN offers a foundation for digital identity. These are steps in the right direction. But they are steps taken on uneven ground.

“Unlike India’s Aadhaar-anchored ecosystem, Nigeria’s systems arguably remain siloed. Payment platforms, identity databases, and regulatory oversight need to speak the same language. When this is missing, the fragmentation leaves citizens exposed to fraud, phishing, and unauthorised data sharing.

“The NDPC is tasked with plugging these gaps, but its enforcement capacity is still developing. For many Nigerians, the promise of protection feels more aspirational than real.

“The consequences are tangible. Trust in digital systems is fragile, built on a history of service failures and security breaches. Millions in rural areas remain excluded altogether, lacking Internet access or digital literacy. DPI should be inclusive, but Nigeria’s current infrastructure risks deepening divides rather than bridging them.” She stated.

According to her, Nigeria’s digital economy is sprinting ahead, but its DPI is limping behind. “Citizens are being asked to embrace apps and cashless transactions without the assurance that their data and money are safe. The NDPC’s role is vital, but it cannot succeed without a stronger, integrated DPI framework that prioritises security, interoperability and inclusion.”

She stressed that if Nigeria wants to move confidently from ATM to apps, it must invest not just in innovation but in the invisible rails that make digital life trustworthy, saying without that, the digital leap risks becoming a digital trap.

On her part, the Corporate Communications and PR Manager, NIBSS, Lilian Phido, who stressed the importance of linkages, said linkage is not just a compliance exercise but a foundational building block in Nigeria’s DPI journey. She said NIBSS’s responsibility is to ensure that as interoperability increases, trust increases proportionally, “because at scale, trust and not just technology is what makes DPI sustainable.”

Phido said as interoperability increases, privacy becomes even more critical. She disclosed that NIBSS plans to maintain data privacy standards by adhering to the following principles: “Adoption of Consent-Based Access Frameworks: Interoperability being structured around explicit user consent, audit trails, and role-based access controls with every integration point is logged and governed within defined regulatory parameters.

“Strong Governance & Regulatory Alignment: Operating within Nigeria’s data protection framework, i.e. NDPA and financial sector regulations. As DPI expands, governance mechanisms across technical, legal, and institutional parastatals must be seen to be evolving alongside it. As such, embedding privacy compliance standards within the design and systems architecture stages is a critical success factor.

“Security-by-design architecture: Building our systems around the following technology capabilities: Data encryption at rest and in transit, tokenisation where applicable, segmented infrastructure environments, continuous system/application monitoring and anomaly detection.”

The NDPC is, however, responsible for enforcing data protection laws and ensuring compliance with data protection standards, aiming to safeguard the privacy rights of individuals and promote responsible data management across sectors. Simply put, the Commission is the referee between a user and every company that holds his or her data, including the banks, telcos, fintechs, hospitals and government agencies.

The NDPC acts as the regulator and enforcer under the Nigeria Data Protection Act (NDPA) 2023, with oversight on Data Controllers and Data Processors (organisations and businesses that collect, store or handle personal data).

The NDPA, effective June 12, 2023, introduced a modern framework aligned with global standards like the EU’s GDPR. It applies to all organisations processing personal data in Nigeria, including foreign firms targeting Nigerian residents.
This report is produced under the DPI Africa Journalism Fellowship Programme
of the Media Foundation for West Africa and Co-Develop.

The Act requires data controllers and data processors of major importance to register with the Commission, appoint data protection officers, conduct audits and submit yearly returns. Processing must be lawful, transparent, and purpose-specific, with organisations bearing the burden of proving freely given consent.

The Commission enforces compliance through investigations, directives and fines. In August 2025, it issued a 21-day notice to over 1,360 organisations across banking, insurance, pensions, and gaming sectors. Penalties have been significant: Multichoice Nigeria was fined N766.2 million for intrusive practices and illegal cross-border transfers, while Fidelity Bank was fined N555.8 million (0.1 per cent of its 2023 revenue) for processing data without consent. These actions demonstrate the Commission’s readiness to apply the law, though appeals may shape future jurisprudence.

The regime also contributes economically. NDPC’s 2024 report showed N12 billion generated from the sector, up from N4 billion in 2021, alongside 23,000 jobs created in 2024 compared to 10,123 in 2023. This reflects growing corporate engagement and integration of data protection into Nigeria’s formal economy. The Commission noted that identity management is crucial in data privacy, among others.

Staying safe and avoiding data breaches
ACCORDING to the NDPC, Nigerians must adopt strong data protection practices, such as respecting their rights under the NDPA 2023, reporting breaches within 72 hours, and ensuring organisations comply with lawful data handling principles, to avoid data breaches.

Under Sections 34 to 38 of the NDPA 2023, Nigerians have specific rights. These are the right to be informed about how their data is collected and used, the right to access personal data held by organisations, the right to rectification if data is inaccurate, the right to object to unlawful processing, right to restrict processing or request deletion, right to data portability (transfer data between services) and the right not to be subjected to automated decision-making without human oversight.

An executive of Cyberdynamics Solutions, Cybersecurity expert, Lana Adegoke, said: Nigerians should demand transparency, ask how your data will be used and stored. Report violations: If an organisation misuses your data, lodge a complaint with NDPC. Stay alert to scams: Phishing emails, fake SMS and fraudulent calls are common entry points for breaches.

“Educate yourself: NDPC runs awareness programs like the Virtual Privacy Academy to help Nigerians understand data protection.”

Adegoke listed some risks and how to avoid them: “Risk of identity theft: Sharing BVN or NIN carelessly can lead to fraud.

“Risk of financial loss: Breaches in mobile banking apps can expose accounts.
“Risk of reputational damage: Organisations that fail to comply face fines and loss of trust.”

He advised Nigerians to enable two-factor authentication, avoid public Wi-Fi for financial transactions, and immediately report suspicious activity to both their bank and the NDPC.

An ex-employee of defunct NITEL Nigeria, Kehinde Aluko, submitted that for millions of ordinary Nigerians, it is the daily anxiety of whether their digital footprints are safe.

According to him, the NDPC’s role is vital, but without stronger integration of digital infrastructure, Nigeria risks deepening divides rather than bridging them. He added that the digital leap must not become a digital trap.

This report is produced under the DPI Africa Journalism Fellowship Programme of the Media Foundation for West Africa and Co-Develop.

Join Our Channels

Taboola Recommendation Widget