Why breaches stay hidden in Nigerian companies
The global average time to detect a data breach in financial services is 197 days. Nigerian companies frequently exceed this number. The reasons are structural: most mid-market Nigerian firms lack dedicated Security Operations Centres (SOCs), centralized log aggregation is rare outside the Tier-1 banks, and the cybersecurity talent gap means that even companies with budget struggle to hire experienced analysts.
The cost of this detection gap is enormous. NIBSS reported electronic fraud losses exceeding ₦18 billion in recent years. The Nigeria Data Protection Commission (NDPC) processed a 340% increase in breach-related complaints between 2023 and 2025. Under the Nigeria Data Protection Act (NDPA) 2023, the 72-hour breach notification clock starts when you become "aware" of the incident - but if you lack the monitoring to become aware, you are both in violation and actively hemorrhaging data.
The nine indicators below are what we consistently see in companies that are in the middle of a breach without knowing it. Each one is something you can check today, without specialized tools.
1. Customers reporting phishing emails containing their real personal data
This is the most definitive external indicator of a data breach. When your customers start forwarding you phishing emails that contain their real names, account numbers, BVN fragments, or transaction amounts, it means the attacker already has your customer database. They are using that data to craft highly convincing phishing campaigns that reference real account details to trick your customers into surrendering additional credentials or making payments to fraudulent accounts.
What to look for: Monitor your customer support channels for complaints about suspicious emails or SMS messages that reference specific account details. Track the volume and pattern - are complaints coming from customers who registered in a specific time period? That would indicate a partial database export rather than a full dump. Check whether the phishing emails reference internal product names, feature flags, or promotional offers that would only be known through database access.
Why it matters in Nigeria: BVN data is a master key to financial identity in Nigeria. If your database has been breached and BVN data is circulating, your customers are not just at risk of phishing - they are at risk of identity theft across every financial institution they have a relationship with. The security of KYC and BVN data is a direct regulatory obligation under both the NDPA and the CBN's consumer protection framework.
Immediate response: Correlate all customer reports to identify the scope of the exposure. Cross-reference the affected accounts against your access logs to determine when the data was exfiltrated. Notify the NDPC within 72 hours. Issue a targeted advisory to affected customers advising them to update their credentials across all financial platforms.
2. Unusual login patterns from foreign IP addresses or at odd hours
Your application serves Nigerian customers. Your engineering team is in Lagos and Abuja. If your authentication logs show successful logins from IP addresses in Russia, Vietnam, or Brazil at 3am WAT, those are not legitimate users - they are compromised accounts being accessed by attackers.
What to look for: Aggregate your authentication logs and filter for logins from IP addresses outside Nigeria (or outside your known user geography). Look for logins at unusual hours - between midnight and 5am WAT - especially on admin and internal tool accounts. Check for "impossible travel" patterns: a user logging in from Lagos at 2pm and from Amsterdam at 2:15pm. Also look for a high volume of successful logins from a single IP address across multiple different user accounts - this is a credential stuffing pattern.
Why it matters: Foreign IP logins on customer accounts indicate account takeover - the attacker has valid credentials (likely from credential stuffing or SIM swap attacks). Foreign IP logins on employee accounts indicate potential insider credential compromise, which could give the attacker access to your admin panel, customer database, or deployment pipeline.
Immediate response: Force password resets on all accounts showing anomalous login patterns. Implement geo-fencing on admin accounts - no admin login should be accepted from outside Nigeria without additional verification. Enable Multi-Factor Authentication across all accounts if not already in place. Block the suspicious IP ranges at your WAF or reverse proxy.
3. Database queries pulling bulk records
In normal application operation, database queries are scoped: they retrieve specific records based on user IDs, session tokens, or transaction references. If your database monitoring shows queries returning thousands or tens of thousands of rows at once - particularly against tables containing customer PII, transaction histories, or financial data - that is an exfiltration pattern, not a legitimate application query.
What to look for: Enable query logging and monitor for SELECT statements that return abnormally large result sets. In PostgreSQL, use pg_stat_statements to identify queries with high row counts. Look for queries against your users, transactions, wallets, or KYC tables that do not include specific filtering conditions (WHERE clauses). Check for queries that dump entire tables using SELECT * with no LIMIT. Review your application's database connection pool - are there connections from unfamiliar source IPs?
What it means: An attacker has gained access to your database - either through compromised application credentials, SQL injection, or direct database access via stolen credentials - and is systematically extracting your data. The bulk nature of the queries suggests they are building a complete copy of your customer database for external sale or exploitation.
Immediate response: Identify the source of the bulk queries (application server, direct connection, or compromised service account). Revoke the credentials being used. Implement database activity monitoring (DAM) that alerts on queries exceeding normal row count thresholds. Restrict database access to application-layer service accounts only, with no direct human login permitted in production. Refer to our PostgreSQL hardening guide for specific implementation steps.
Recognizing any of these indicators in your environment? The 72-hour NDPA notification window is already ticking.
Request an Emergency Assessment4. Employees receiving targeted spear-phishing referencing internal details
When your engineering lead receives a phishing email that references a specific internal project name, mentions the exact cloud provider you use, or addresses them by their internal team title rather than their public LinkedIn title, the attacker has already conducted reconnaissance inside your organization. They know your org structure, your tech stack, and your internal communication patterns.
What to look for: Train employees to report suspicious emails immediately and track the specificity of the content. Generic phishing ("Dear Customer") is bulk spam. Targeted phishing that references internal Slack channel names, Jira project keys, or the name of your CI/CD tool indicates that the attacker either has access to internal communications (email compromise, Slack breach) or has obtained internal documentation from a previous data leak.
What it means: Your organization has already been partially compromised. The attacker is using information gathered from that initial compromise to launch a deeper, more targeted attack - typically aimed at obtaining credentials for higher-privilege systems like your cloud console, database, or payment gateway admin panel.
Immediate response: Audit all employee email accounts for forwarding rules (a common attacker persistence technique - they set up a forwarding rule to receive copies of all emails). Review access logs for your internal communication tools. Conduct a social engineering assessment to identify which employees are most susceptible and what internal information has already leaked.
5. Sudden spike in password reset requests
If your password reset endpoint suddenly sees a 500% increase in requests over a 48-hour period, and this does not correlate with a marketing campaign or a known service disruption, you are likely experiencing the opening salvo of a credential-based attack.
What to look for: Monitor the volume of password reset requests against your historical baseline. Look for reset requests targeting a large number of different accounts from a small number of IP addresses. Check whether reset tokens are being used - a high volume of reset requests with a low redemption rate indicates automated enumeration (the attacker is confirming which email addresses exist in your system). A high volume with a high redemption rate indicates active account takeover.
What it means: In the enumeration scenario, the attacker is building a list of valid accounts to target in a subsequent credential stuffing attack. In the takeover scenario, the attacker already controls the email addresses or phone numbers associated with the accounts (via email compromise or SIM swap) and is using the reset flow to gain application access.
Immediate response: Implement rate limiting on your password reset endpoint immediately. Add CAPTCHA to the reset flow. Ensure password reset tokens are single-use and expire within 15 minutes. Do not disclose whether an email address exists in your system - always return the same generic response regardless of whether the email is registered. Review your API security practices for additional hardening steps.
6. Your customer data appearing on Telegram channels or dark web paste sites
In the Nigerian cybercrime ecosystem, Telegram has largely replaced traditional dark web forums as the primary distribution channel for stolen data. Channels specializing in Nigerian banking data, BVN lookups, and NIN verification services operate openly, selling access to databases that were exfiltrated from compromised platforms.
What to look for: Use breach monitoring services (Have I Been Pwned, SpyCloud, Flare, or Hudson Rock) to check whether your company's domain appears in known breach databases. Search dark web monitoring platforms for your company name, product name, and API endpoint URLs. Monitor Nigerian-focused Telegram channels that trade in financial data - if your customer records appear with formatting or field names that match your database schema, the source is your platform.
Why it matters in Nigeria: The NIN database leaks, the 60 million telecom records traded on dark web forums, and the BVN lookup services all demonstrate that Nigerian customer data has a thriving secondary market. Under the NDPA, the company from which the data was exfiltrated bears the regulatory burden - not the marketplace that sells it. Penalties include up to ₦10 million or 2% of annual gross revenue, plus potential class action liability under Nigeria's emerging data rights jurisprudence.
Immediate response: Confirm the data's authenticity by comparing samples against your database. If confirmed, notify the NDPC immediately, engage legal counsel, and issue breach notifications to affected customers. Conduct a forensic investigation to identify the exfiltration vector. Engage a professional team to assess your full breach risk exposure.
7. Unexplained regulatory inquiries
If the NDPC, CBN, or NCC contacts your company with questions about data handling practices or specific customer complaints that you were not previously aware of, it is possible that a data breach has already been reported to the regulator by affected individuals - and you are the last to know.
What to look for: Any formal inquiry from the NDPC regarding customer data complaints, any CBN circular requesting information about security incidents, or any request from a partner bank or payment processor for your latest penetration test report or security certification should be treated as a potential indicator that external parties are aware of a breach you have not yet detected internally.
What it means: Customers or third parties have reported data exposure to regulators before you detected it. This is the worst-case scenario from a compliance perspective, because it means you have already failed the NDPA's 72-hour notification requirement, which significantly increases your penalty exposure and reduces your ability to negotiate a favourable regulatory outcome.
Immediate response: Respond to the regulatory inquiry promptly and transparently. Engage legal counsel with NDPA expertise. Launch an internal investigation immediately. Do not attempt to minimize or deny - Nigerian regulators increasingly treat cover-ups more harshly than the original incident. Review our NDPA compliance analysis for detailed regulatory requirements.
8. Partner companies suddenly asking about your security posture
When your banking partner, payment processor, or enterprise client unexpectedly requests a copy of your latest pentest report, SOC 2 certification, or ISO 27001 documentation - outside of the normal annual review cycle - it often means they have received intelligence suggesting your platform may be compromised. Banks and payment processors subscribe to threat intelligence feeds and participate in information-sharing networks (like FS-ISAC) that surface indicators of compromise across their partner ecosystems.
What to look for: Track the frequency and timing of security posture requests from partners. An off-cycle, urgent request is qualitatively different from a routine annual renewal. If multiple partners make similar requests within a short window, the probability of a shared intelligence trigger is high. Also watch for partners quietly reducing transaction limits, adding friction to settlements, or implementing additional verification on transactions originating from your platform.
What it means: Your partners may have seen indicators of compromise associated with your platform - anomalous transaction patterns, compromised credentials appearing on threat intelligence feeds, or customer complaints routed through the partner's channels rather than yours. For guidance on responding to these inquiries and using security as a competitive advantage, see our article on proving security to enterprise clients.
Immediate response: Respond to partner inquiries promptly with accurate, current documentation. Use the inquiry as a trigger for an internal security audit. If you do not have a recent pentest report, schedule one immediately - your partner relationship may depend on it. Review our guide on security as a competitive advantage for managing these situations proactively.
9. Internal tools running noticeably slower
Performance degradation in internal tools - your admin dashboard, reporting systems, or back-office applications - without a corresponding increase in legitimate usage or a known infrastructure change can indicate active data exfiltration consuming bandwidth and compute resources.
What to look for: Compare current performance baselines against historical data. Check network bandwidth utilization - is there unexplained outbound traffic? Review CPU and memory usage on application servers for processes you do not recognize. Look for increased disk I/O on database servers, which could indicate bulk data reads. If your internal tools share infrastructure with production systems, check whether the performance degradation correlates with the timing of any of the other indicators in this article.
What it means: An attacker actively exfiltrating data consumes bandwidth, compute cycles, and database IOPS. Large-scale data extraction - particularly when the attacker is compressing, encrypting, or encoding data before transmission - generates measurable performance impact. This is especially noticeable in Nigerian companies running on bandwidth-constrained infrastructure where a few megabits per second of exfiltration traffic represents a significant percentage of total available bandwidth.
Immediate response: Investigate the source of the performance degradation. Check for unauthorized processes, unexpected network connections, and abnormal database activity. If you identify active exfiltration, isolate the affected systems. Implement egress filtering to restrict outbound traffic to known, whitelisted destinations. Consider a full architecture review to identify and close the gaps that allowed the compromise.
Detection is only the first step
Identifying these indicators is critical, but it is only the beginning. Every confirmed indicator triggers regulatory obligations under the NDPA (72-hour notification to NDPC), potential CBN reporting requirements for licensed financial institutions, and customer notification duties. The companies that navigate breaches with the least damage are those that had an incident response plan documented and tested before the incident occurred - not those that scrambled to create one during a crisis. If you do not have a plan, read our post-breach response guide and start building one today.
Need to determine whether your company is currently experiencing a data breach? Our team conducts targeted compromise assessments for Nigerian companies.
Book a Compromise AssessmentFrequently asked questions
How long do data breaches go undetected in Nigerian companies?
The global average for financial services is 197 days from breach to detection. Nigerian companies often exceed this because many lack dedicated security monitoring teams, centralized logging, and automated alerting. Breaches are frequently discovered only when customer data surfaces on Telegram channels or when the NDPC initiates an inquiry based on external complaints.
What are the NDPA penalties for a data breach in Nigeria?
Under the Nigeria Data Protection Act (NDPA) 2023, companies that fail to protect personal data or fail to report a breach within 72 hours can face fines of up to ₦10 million or 2% of annual gross revenue, whichever is greater. The NDPC can also order the company to cease data processing activities, which for a fintech effectively means shutting down operations.
Can I check if my company's data has been leaked on the dark web?
Yes. Services like Have I Been Pwned, SpyCloud, and Flare monitor dark web marketplaces, paste sites, and Telegram channels for leaked credentials and data. You can also engage a threat intelligence firm to conduct targeted monitoring for your company's domain, employee email addresses, and customer data indicators. Some breach notification services offer free domain-level searches.
What is the difference between a data breach and a data leak?
A data breach typically involves unauthorized access to your systems - an attacker breaking in and extracting data. A data leak is when data is accidentally exposed due to misconfiguration - like a public S3 bucket or an unsecured API endpoint returning data without authentication. Both trigger the same regulatory obligations under the NDPA, and both can be equally damaging to your customers and reputation.
Related reading
Blog: 12 signs your backend is compromised · Cost of a data breach for Nigerian fintechs · Lessons from the Sterling Bank / Remita breach · NDPA vs NDPR: what changed
Guides: What to do after a breach · NDPR/NDPA compliance guide · Breach risk assessment for Nigeria
Services: Penetration testing · Vulnerability assessment · Digital banking security