At its Abuja headquarters, the Nigeria Data Protection Commission disclosed that its systems faced more than 2,000 cyber intrusion attempts over a six-month period. The revelation arrives as Nigeria pushes to digitise government services, raising questions about whether the nation's cybersecurity infrastructure can support its ambitious e-governance expansion.
Scale of the Threat Emerges
The NDPC confirmed the 2,000 intrusion attempts in a closed-door session with National Assembly members last week. Commission officials described the attacks as coordinated, sophisticated, and persistent — characteristics that suggest resources and planning beyond typical criminal hackers. The figures represent a sharp increase from the previous reporting period, when attempted breaches numbered in the hundreds.
Dr. Olatunji Yetunde, who served as NDPC Director of Technical Standards until 2023, told reporters the commission lacks the infrastructure to deflect attacks of this volume. "When you are processing sensitive citizen data and you face this level of hostility, you need enterprise-grade defences, not improvised solutions," she said.
What Nigeria's E-Governance Drive Faces
The timing complicates the government's Digital Nigeria programme, which aims to move 70 percent of public services online by 2027. Ministries handling tax collection, business registration, and national identity rely on the same digital architecture the NDPC protects. A successful breach at the commission could expose data belonging to millions of Nigerians.
The government has partnered with international technology firms including Siemens and Microsoft to build portions of this infrastructure. Those companies have built their own cybersecurity requirements into their contracts, and sources familiar with the arrangements say the NDPC breach could trigger contract reviews.
Regulatory Gaps Compound the Problem
The NDPC itself only became operational in 2023, inheriting responsibilities previously scattered across multiple agencies. Critics argue the commission remains understaffed and underfunded relative to its mandate. Internal documents seen by journalists show the NDPC requested 4.5 billion naira in its 2024 budget for cybersecurity upgrades. Parliament approved 1.8 billion.
The gap forces the commission to prioritise which systems receive protection first. Officials acknowledge that some subsystems run on outdated software with known vulnerabilities.
Investors Monitor the Situation
For international businesses considering Nigerian operations, data protection credibility has become a gating factor. The African Development Bank noted in its latest investment climate report that cybersecurity readiness now appears in due diligence questionnaires from 68 percent of foreign investors evaluating sub-Saharan markets.
Nigeria's startup ecosystem, which attracted $1.2 billion in venture funding last year, depends on consumer trust in digital platforms. The NDPC breach, even if no data was stolen, signals weakness in the system supposed to govern that trust.
National Assembly Demands Answers
Lawmakers convened an emergency session following the disclosure. The Senate Committee on Communications called NDPC leadership to explain the attack timeline, whether any data exfiltration occurred, and what the commission planned to do differently. Senator Gbenga Ashafa, who chairs the committee, told journalists outside the session that the legislature would not accept "vague assurances."
Two weeks remain before committee members expect a full technical briefing. The NDPC must produce documentation showing which systems were targeted, what defensive measures existed at the time, and a revised security roadmap.
Technical Partners Face Pressure
The breach also strains relationships with foreign technology partners. The United Kingdom's National Cyber Security Centre issued an advisory to companies operating in Nigeria after the NDPC disclosure, recommending enhanced monitoring of data flows involving Nigerian government systems. That advisory carries commercial consequences — UK firms may reconsider or delay contracts pending further clarity.
Nigerian technology executives say the incident exposes a broader problem: the country trains cybersecurity talent who then emigrate for higher pay. The NDPC competes with banks and mobile networks for the same limited pool of skilled professionals.
What Comes Next
The NDPC has fourteen days to submit its security remediation plan to the National Assembly. Parliament is also drafting amendments to the Nigeria Data Protection Act that would grant the commission stronger enforcement powers and mandatory breach reporting timelines. If those amendments pass, companies handling Nigerian citizen data could face new compliance costs before the end of the fiscal year.
International observers will watch whether Nigeria follows through with adequate funding. The alternative — continued underinvestment in digital defences — risks not only national security but the foreign investment the country needs to close its infrastructure gap.
The NDPC breach, even if no data was stolen, signals weakness in the system supposed to govern that trust.National Assembly Demands AnswersLawmakers convened an emergency session following the disclosure. Officials acknowledge that some subsystems run on outdated software with known vulnerabilities.Investors Monitor the SituationFor international businesses considering Nigerian operations, data protection credibility has become a gating factor.
