Why the first 72 hours are everything
The 72-hour window is not arbitrary. It is the exact timeframe the Nigeria Data Protection Act (NDPA) gives you to notify the NDPC of a personal data breach. It is also the window during which forensic evidence is freshest, attacker persistence mechanisms are most detectable, and the gap between containment and catastrophe is narrowest.
In 2024, the CBN issued over ₦1 billion in cumulative fines to financial institutions for cybersecurity failures. The NDPA penalty framework adds up to ₦10 million or 2% of annual gross revenue (whichever is higher) for negligent data handling. These are not hypothetical numbers. They are enforcement precedents that have already bankrupted smaller operators.
This playbook is structured by the hour. Print it. Share it with your CTO, your Head of Engineering, and your legal counsel. When the breach happens, you will not have time to Google what to do.
Hour 0-4: Contain the damage
The first four hours are about stopping the bleeding. You are not investigating root cause yet. You are not notifying anyone externally. You are preventing further data loss.
Activate your Incident Response team
If you have an Incident Response plan, execute it now. If you do not, designate an Incident Commander immediately. This person owns every decision for the duration of the incident. Every action, every communication, every system change flows through them. Confusion about who is in charge is the single biggest cause of botched incident responses.
Isolate affected systems
Disconnect compromised servers from the network. Do NOT power them off. Volatile memory contains evidence: active processes, network connections, loaded malware. Pull the ethernet cable or revoke the security group in AWS/Azure. If the attacker is in your Kubernetes cluster, cordon the affected nodes. If they are in your database, revoke all external connection strings and rotate to a new endpoint.
Revoke compromised credentials
Immediately rotate every credential that could be compromised: API keys, database passwords, OAuth tokens, SSH keys, and admin console passwords. If you use a secrets manager like HashiCorp Vault or AWS Secrets Manager, trigger an emergency rotation. If your .env files were exposed, assume every secret in them is burned.
Freeze deployments
Halt all CI/CD pipelines. The attacker may have compromised your build pipeline or injected malicious code into a pending deployment. A deployment during an active breach can overwrite forensic evidence or push the attacker's code to production.
Do not wipe anything
The instinct to "clean up" is strong. Resist it. Every server you wipe, every log you delete, every database you restore from backup is evidence destroyed. You need that evidence for the NDPC investigation, for law enforcement, for your cyber insurance claim, and for the forensic team that will determine how the attacker got in.
Hour 4-12: Preserve forensic evidence
With the immediate bleeding stopped, shift to evidence preservation. Everything you do from this point must maintain a defensible chain of custody.
- Capture forensic images: Create bit-for-bit disk images of all affected servers using tools like dd, FTK Imager, or AWS EBS snapshots. These images must be stored on isolated, write-protected media. Never perform forensic analysis on the original disk.
- Dump volatile memory: Before the systems are eventually powered down, capture RAM dumps using tools like LiME (Linux) or WinPMEM (Windows). Memory contains decrypted data, running processes, and active network connections the attacker is using.
- Secure logs before rotation: Your application logs, access logs, WAF logs, VPC Flow Logs, and CloudTrail/Azure Activity Logs will rotate on schedule. Export and archive them to immutable storage (S3 with Object Lock, or a dedicated SIEM) immediately. If logs rotate before you archive them, you lose the timeline of the attack.
- Document everything: Start an incident log with timestamps (use UTC). Record every action taken, every system touched, every person involved, and every decision made. This log is a legal document. Write it like a lawyer will read it, because one will.
- Capture network traffic: If possible, enable packet capture (pcap) on the network segments where the attacker is active. This captures command-and-control traffic, data exfiltration streams, and lateral movement in real time.
If your team does not have forensic imaging capabilities, this is the point to engage an external Digital Forensics and Incident Response (DFIR) team. The cost of a DFIR engagement (typically ₦15-50 million for a mid-sized fintech) is a fraction of the regulatory fines you will face if you cannot demonstrate what data was compromised.
Hour 12-24: Assess the scope
Now you need answers to three questions: How did they get in? What did they access? How bad is this?
Determine the attack vector
Correlate your log data to identify the initial entry point. Was it an unprotected API endpoint? A BOLA vulnerability that let the attacker escalate to admin? A phished employee credential? A compromised third-party SDK? Identifying the vector tells you what to patch and what other systems may be affected.
Identify affected customer data
Map every database table and object store the attacker touched. Determine the categories of personal data compromised: BVNs, NINs, phone numbers, transaction histories, account balances, KYC documents. The NDPC notification requires you to specify the "categories of data subjects" and "approximate number of data subjects concerned." If you processed KYC/BVN data, assume it is compromised until proven otherwise.
Estimate financial exposure
Calculate direct losses (stolen funds), potential regulatory fines (up to 2% of gross revenue under NDPA), legal liability (class action exposure based on number of affected users), and operational costs (DFIR fees, emergency security remediation, customer compensation). For a fintech processing ₦500 million monthly, the total breach cost can easily exceed ₦100 million.
Hour 24-48: Notify regulators and legal counsel
You are now inside the NDPA's 72-hour notification window. Do not wait until hour 71.
- Engage legal counsel immediately: Your external lawyer should review every communication before it leaves the building. Anything you say to regulators, partners, or customers can be used against you in enforcement proceedings or civil litigation. Attorney-client privilege protects your internal investigation findings, but only if a lawyer is directing the investigation.
- Notify the NDPC: File a formal breach notification with the Nigeria Data Protection Commission. The notification must include: the nature of the breach, categories of data affected, approximate number of data subjects, likely consequences, and the measures you have taken or propose to take. See our step-by-step NDPC reporting guide for the exact process.
- Notify the CBN: If you hold a CBN licence (payment service provider, microfinance bank, mobile money operator), you must notify the CBN's IT Standards and Cybersecurity department. The CSAT framework requires licensed institutions to report cybersecurity incidents. Failure to report compounds the penalty.
- Notify law enforcement: File a report with the Nigeria Police Force Cybercrime Unit (NPF-CCU) or the Economic and Financial Crimes Commission (EFCC) if financial fraud is involved. This creates an official record and may be required for your cyber insurance claim.
- Contact your cyber insurance provider: If you have cyber liability insurance, notify your carrier within the policy's reporting window (typically 24-48 hours). Late notification can void your coverage entirely.
Need emergency incident assessment? Our team can be on a call within 2 hours to help you scope the breach and plan remediation.
Request Emergency AssessmentHour 48-72: Communicate strategically
Communication during a breach is a minefield. Say too little, and you look like you are covering up. Say too much, and you hand your adversaries ammunition for lawsuits and your competitors ammunition for sales decks.
Customer notification
Once regulators are notified and legal counsel has approved the language, notify affected customers. Be specific about what data was compromised (do not say "some data may have been affected" when you know 50,000 BVNs were exfiltrated). Explain what you are doing about it. Offer concrete protective steps they can take: changing passwords, monitoring their bank accounts, placing fraud alerts on their BVN through NIBSS. Generic apology emails without actionable guidance destroy credibility.
Partner and vendor notification
If your systems integrate with banking partners, payment processors, or other fintechs via API, notify them. Their systems may also be compromised through your shared API credentials or webhook endpoints. Coordinate with their security teams on credential rotation and traffic monitoring.
Press handling
Do not issue a press statement before you have notified regulators. This is not optional, it is a regulatory requirement that prevents your public statement from contradicting what you have told the NDPC. Prepare a holding statement for media inquiries: acknowledge the incident, confirm you are investigating, and state that you are cooperating with regulatory authorities. Redirect all press inquiries to a single spokesperson.
What NOT to do during a breach
Panic-driven decisions during a breach cause more damage than the breach itself. These are the most common mistakes we see Nigerian fintechs make.
- Do not wipe servers or restore from backup prematurely: You destroy the evidence needed for forensic investigation, regulatory reporting, and insurance claims. The NDPC will ask how the breach occurred. "We do not know because we wiped the servers" is not a defensible answer.
- Do not pay ransomware demands without legal advice: Payment does not guarantee data recovery. It may violate anti-money-laundering regulations. It funds criminal enterprises. And it marks your company as a payer, guaranteeing future attacks. Consult legal counsel and law enforcement first.
- Do not notify the press before regulators: If the NDPC or CBN learns about your breach from a news article instead of your official notification, expect maximum enforcement. You have demonstrated that you prioritise public relations over regulatory compliance.
- Do not blame employees publicly: Even if a phishing attack on an employee was the entry point, public blame destroys your security culture and makes future employees less likely to report incidents. Address the systemic failure (lack of phishing-resistant MFA, inadequate training) rather than the individual.
- Do not communicate on compromised channels: If the attacker has access to your Slack workspace, email servers, or internal communication tools, they are reading your incident response communications. Use out-of-band communication: personal phone calls, Signal, or a freshly provisioned Slack workspace on a clean device.
After the 72 hours: Recovery begins
The first 72 hours are about survival. What comes next is about rebuilding. You need a structured approach to rebuilding your security posture that addresses the root cause, validates your remediation, and demonstrates to regulators that you have taken the incident seriously.
The immediate post-breach priorities include:
- Root cause elimination: Patch the vulnerability that allowed initial access. If it was a broken access control issue, fix the authorisation logic. If it was a credential compromise, implement phishing-resistant MFA (FIDO2/WebAuthn, not SMS OTP).
- Verification pentest: Commission a penetration test specifically targeting the attack vector that was exploited. The resulting report provides regulators with documented evidence that the vulnerability has been remediated.
- Continuous monitoring: Deploy or improve your SIEM, EDR, and DLP tooling. The attacker may have planted backdoors that your initial containment missed. Continuous monitoring for 90 days post-breach is standard practice.
- Post-incident review: Conduct a blameless retrospective. Document what worked, what failed, and what you will change. Update your Incident Response plan based on lessons learned.
Fraud losses are accelerating
NIBSS reported over ₦18 billion in fraud losses across Nigerian financial institutions in 2024, a 40% increase from the previous year. The median time to detect a breach in the financial sector is 120 days. If your detection time is measured in days rather than minutes, your exposure is compounding every hour the attacker remains undetected.
When to engage Simpa Labs
If you are reading this article during an active incident, reach out immediately. We offer emergency breach assessment engagements that include: scoping the compromise, advising on evidence preservation, performing targeted penetration testing of the exploited attack vector, and producing a remediation report suitable for submission to the NDPC and CBN.
If you are reading this before an incident, the smartest investment you can make is a proactive penetration test and an incident response plan. The companies that survive breaches are the ones that planned for them.
Whether you are responding to an active breach or preparing for one, we can help.
Talk to Our Security TeamFrequently asked questions
Should I shut down all systems immediately after a breach?
No. A full shutdown destroys volatile forensic evidence in memory (RAM) and can alert the attacker that they have been detected, causing them to trigger destructive payloads. Instead, isolate affected systems from the network while keeping them powered on so you can capture memory dumps and preserve evidence.
How quickly must I notify the NDPC after a data breach?
Under the Nigeria Data Protection Act (NDPA), you must notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware that personal data has been compromised. Failure to meet this window significantly increases your regulatory liability and potential fines.
Should I pay a ransomware demand?
Never pay a ransom without first consulting legal counsel and, ideally, law enforcement (the Nigeria Police Force Cybercrime Unit or Interpol's Nigeria desk). Paying does not guarantee data recovery, may violate anti-money-laundering regulations, and marks your company as a willing payer for future attacks.
What does a post-breach penetration test involve?
A post-breach pentest is a verification engagement that specifically targets the attack vector used in the breach, validates that remediation was effective, and tests for additional weaknesses the attacker may have exploited. It produces a report you can submit to the NDPC and CBN as evidence of remediation.
Related reading
Blog: Cost of a Data Breach · Reporting to NDPC · Sterling-Remita Breach Lessons
Guides: After a Breach · Fintech Security Checklist
Services: Penetration Testing · Vulnerability Assessment