Why the first 72 hours are everything

The 72-hour window is not arbitrary. It is the exact timeframe the Nigeria Data Protection Act (NDPA) gives you to notify the NDPC of a personal data breach. It is also the window during which forensic evidence is freshest, attacker persistence mechanisms are most detectable, and the gap between containment and catastrophe is narrowest.

In 2024, the CBN issued over ₦1 billion in cumulative fines to financial institutions for cybersecurity failures. The NDPA penalty framework adds up to ₦10 million or 2% of annual gross revenue (whichever is higher) for negligent data handling. These are not hypothetical numbers. They are enforcement precedents that have already bankrupted smaller operators.

This playbook is structured by the hour. Print it. Share it with your CTO, your Head of Engineering, and your legal counsel. When the breach happens, you will not have time to Google what to do.

Hour 0-4: Contain the damage

The first four hours are about stopping the bleeding. You are not investigating root cause yet. You are not notifying anyone externally. You are preventing further data loss.

Activate your Incident Response team

If you have an Incident Response plan, execute it now. If you do not, designate an Incident Commander immediately. This person owns every decision for the duration of the incident. Every action, every communication, every system change flows through them. Confusion about who is in charge is the single biggest cause of botched incident responses.

Isolate affected systems

Disconnect compromised servers from the network. Do NOT power them off. Volatile memory contains evidence: active processes, network connections, loaded malware. Pull the ethernet cable or revoke the security group in AWS/Azure. If the attacker is in your Kubernetes cluster, cordon the affected nodes. If they are in your database, revoke all external connection strings and rotate to a new endpoint.

Revoke compromised credentials

Immediately rotate every credential that could be compromised: API keys, database passwords, OAuth tokens, SSH keys, and admin console passwords. If you use a secrets manager like HashiCorp Vault or AWS Secrets Manager, trigger an emergency rotation. If your .env files were exposed, assume every secret in them is burned.

Freeze deployments

Halt all CI/CD pipelines. The attacker may have compromised your build pipeline or injected malicious code into a pending deployment. A deployment during an active breach can overwrite forensic evidence or push the attacker's code to production.

Critical Rule

Do not wipe anything

The instinct to "clean up" is strong. Resist it. Every server you wipe, every log you delete, every database you restore from backup is evidence destroyed. You need that evidence for the NDPC investigation, for law enforcement, for your cyber insurance claim, and for the forensic team that will determine how the attacker got in.

Hour 4-12: Preserve forensic evidence

With the immediate bleeding stopped, shift to evidence preservation. Everything you do from this point must maintain a defensible chain of custody.

If your team does not have forensic imaging capabilities, this is the point to engage an external Digital Forensics and Incident Response (DFIR) team. The cost of a DFIR engagement (typically ₦15-50 million for a mid-sized fintech) is a fraction of the regulatory fines you will face if you cannot demonstrate what data was compromised.

Hour 12-24: Assess the scope

Now you need answers to three questions: How did they get in? What did they access? How bad is this?

Determine the attack vector

Correlate your log data to identify the initial entry point. Was it an unprotected API endpoint? A BOLA vulnerability that let the attacker escalate to admin? A phished employee credential? A compromised third-party SDK? Identifying the vector tells you what to patch and what other systems may be affected.

Identify affected customer data

Map every database table and object store the attacker touched. Determine the categories of personal data compromised: BVNs, NINs, phone numbers, transaction histories, account balances, KYC documents. The NDPC notification requires you to specify the "categories of data subjects" and "approximate number of data subjects concerned." If you processed KYC/BVN data, assume it is compromised until proven otherwise.

Estimate financial exposure

Calculate direct losses (stolen funds), potential regulatory fines (up to 2% of gross revenue under NDPA), legal liability (class action exposure based on number of affected users), and operational costs (DFIR fees, emergency security remediation, customer compensation). For a fintech processing ₦500 million monthly, the total breach cost can easily exceed ₦100 million.

Hour 24-48: Notify regulators and legal counsel

You are now inside the NDPA's 72-hour notification window. Do not wait until hour 71.

Need emergency incident assessment? Our team can be on a call within 2 hours to help you scope the breach and plan remediation.

Request Emergency Assessment

Hour 48-72: Communicate strategically

Communication during a breach is a minefield. Say too little, and you look like you are covering up. Say too much, and you hand your adversaries ammunition for lawsuits and your competitors ammunition for sales decks.

Customer notification

Once regulators are notified and legal counsel has approved the language, notify affected customers. Be specific about what data was compromised (do not say "some data may have been affected" when you know 50,000 BVNs were exfiltrated). Explain what you are doing about it. Offer concrete protective steps they can take: changing passwords, monitoring their bank accounts, placing fraud alerts on their BVN through NIBSS. Generic apology emails without actionable guidance destroy credibility.

Partner and vendor notification

If your systems integrate with banking partners, payment processors, or other fintechs via API, notify them. Their systems may also be compromised through your shared API credentials or webhook endpoints. Coordinate with their security teams on credential rotation and traffic monitoring.

Press handling

Do not issue a press statement before you have notified regulators. This is not optional, it is a regulatory requirement that prevents your public statement from contradicting what you have told the NDPC. Prepare a holding statement for media inquiries: acknowledge the incident, confirm you are investigating, and state that you are cooperating with regulatory authorities. Redirect all press inquiries to a single spokesperson.

What NOT to do during a breach

Panic-driven decisions during a breach cause more damage than the breach itself. These are the most common mistakes we see Nigerian fintechs make.

After the 72 hours: Recovery begins

The first 72 hours are about survival. What comes next is about rebuilding. You need a structured approach to rebuilding your security posture that addresses the root cause, validates your remediation, and demonstrates to regulators that you have taken the incident seriously.

The immediate post-breach priorities include:

NIBSS Data

Fraud losses are accelerating

NIBSS reported over ₦18 billion in fraud losses across Nigerian financial institutions in 2024, a 40% increase from the previous year. The median time to detect a breach in the financial sector is 120 days. If your detection time is measured in days rather than minutes, your exposure is compounding every hour the attacker remains undetected.

When to engage Simpa Labs

If you are reading this article during an active incident, reach out immediately. We offer emergency breach assessment engagements that include: scoping the compromise, advising on evidence preservation, performing targeted penetration testing of the exploited attack vector, and producing a remediation report suitable for submission to the NDPC and CBN.

If you are reading this before an incident, the smartest investment you can make is a proactive penetration test and an incident response plan. The companies that survive breaches are the ones that planned for them.

Whether you are responding to an active breach or preparing for one, we can help.

Talk to Our Security Team

Frequently asked questions

Should I shut down all systems immediately after a breach?

No. A full shutdown destroys volatile forensic evidence in memory (RAM) and can alert the attacker that they have been detected, causing them to trigger destructive payloads. Instead, isolate affected systems from the network while keeping them powered on so you can capture memory dumps and preserve evidence.

How quickly must I notify the NDPC after a data breach?

Under the Nigeria Data Protection Act (NDPA), you must notify the Nigeria Data Protection Commission (NDPC) within 72 hours of becoming aware that personal data has been compromised. Failure to meet this window significantly increases your regulatory liability and potential fines.

Should I pay a ransomware demand?

Never pay a ransom without first consulting legal counsel and, ideally, law enforcement (the Nigeria Police Force Cybercrime Unit or Interpol's Nigeria desk). Paying does not guarantee data recovery, may violate anti-money-laundering regulations, and marks your company as a willing payer for future attacks.

What does a post-breach penetration test involve?

A post-breach pentest is a verification engagement that specifically targets the attack vector used in the breach, validates that remediation was effective, and tests for additional weaknesses the attacker may have exploited. It produces a report you can submit to the NDPC and CBN as evidence of remediation.

Related reading

Blog: Cost of a Data Breach · Reporting to NDPC · Sterling-Remita Breach Lessons

Guides: After a Breach · Fintech Security Checklist

Services: Penetration Testing · Vulnerability Assessment