Open Access

ARTICLE

From One Unpatched Server to National Exposure: The Sterling Bank–Remita Chain Breach of 2026

Chinedum Amaechi^1,*, Onyemelukwe Nnaemeka², Charity N. Onyechi³

1 Computer Science Department, Faculty of Physical Sciences, Nnamadi Azikwe University, Anambra, Nigeria
2 Department of Computer Science, University on the Niger, Umunya, Nigeria
3 Department of Computer Science, Chukwuemeka Odumegwu Ojukwu University, Uli, Nigeria

* Corresponding Author: Chinedum Amaechi. Email:

Journal of Cyber Security 2026, 8, 357-371. https://doi.org/10.32604/jcs.2026.084201

Received 17 April 2026; Accepted 30 April 2026; Issue published 18 June 2026

Abstract

Background: In March 2026, Nigeria’s financial sector experienced a cascading cybersecurity breach that compromised both a commercial bank and the nation’s primary government payment infrastructure. Objective: This paper provides the first academic analysis of the Sterling Bank–Remita chain breach, examining how a single unpatched vulnerability led to the exposure of approximately 900,000 customer records and 3 terabytes of national payment data. Methods: Using open-source intelligence (OSINT) methodology and the MITRE ATT&CK framework (version 16), the attack chain was reconstructed from actor-published artefacts on the spear.cx cybercrime forum, cross-referenced with regulatory statements and vulnerability databases. The novelty of this research lies in its use of real time dark web artifacts to achieve pre-forensic transparency. Results: The actor exploited CVE-2025-55182 on an unpatched Sterling Bank pilot server (‘enf-pilot.sterling.ng’), maintained persistence for nine days without detection, and pivoted to Remita using trusted inter-bank relationships. Exfiltrated data included 657,242 Know Your Customer (KYC) documents (588 GB), 35,000+ password hashes, and a directory of 46 Hardware Security Module (HSM) key files named for every major Nigerian bank. An ablation analysis reveals that while the RCE (Remote Code Execution) provided entry, the lateral movement was uniquely dependent on the failure in environment segmentation. Conclusions: The incident reveals systemic failures across technical (unpatched vulnerabilities, hardcoded secrets), organizational (nine-day detection failure, non-disclosure), and regulatory (weak cross-institutional mandates) levels. Without zero-trust inter-bank security and enforced breach notification, similar chain breaches remain inevitable. Implications: This study serves as a formal case study for supply-chain risk in interconnected financial infrastructures, also it should inform cybersecurity curricula and regulatory reform in Nigeria and other emerging economies with interconnected financial infrastructure.

---

Keywords

---