From One Unpatched Server to National Exposure: The Sterling Bank–Remita Chain Breach of 2026

1  Introduction

Nigeria’s financial sector has undergone rapid digitization over the past decade, driven by policies such as the Treasury Single Account (TSA), the Bank Verification Number (BVN) system, and the Integrated Payroll and Personnel Information System (IPPIS). Central to this infrastructure is Remita, operated by SystemSpecs, which serves as the payment gateway through which the federal government processes salary payments, collects revenue from over a thousand ministries, departments, and agencies, and transmits financial instructions to the Central Bank of Nigeria (CBN) [1]. The efficiency of this interconnected architecture, however, introduces a systemic vulnerability: the security of the entire national payment infrastructure is only as strong as its weakest connected institution. This phenomenon, known as supply-chain or interconnected risk, has been documented in other contexts, including the Target breach via an HVAC vendor [2] and the SolarWinds compromise of software update mechanisms [3].

On 18 March 2026, that weakest link was Sterling Bank Plc. A threat actor operating under the alias “ByteToBreach” exploited an unpatched vulnerability (CVE-2025-55182) on an exposed pilot server (‘enf-pilot.sterling.ng’). What followed was not a simple data breach of a single bank, but a cascading failure that compromised the payment infrastructure upon which the Nigerian federal government and millions of citizens rely [4]. The actor subsequently published approximately 3 terabytes of data from Remita on the cybercrime forum spear.cx, including source code, identity documents, and cryptographic keys for over 40 financial institutions.

The Nigerian financial sector is particularly vulnerable to such attacks due to several factors identified in prior research: rapid digitization outpacing security maturity [5], inadequate regulatory enforcement of breach notification [6], and the proliferation of interconnected but unevenly secured payment gateways. The Sterling Bank–Remita incident validates and extends these findings by demonstrating how a single unpatched vulnerability in a secondary bank can compromise the nation’s primary payment infrastructure.

This paper addresses three research questions. First, how did a single unpatched vulnerability at Sterling Bank enable a breach of Remita? Second, what systemic failures—technical, organizational, and regulatory—facilitated this lateral movement and prolonged detection failure? Third, what lessons can be drawn for strengthening cross-institutional security mandates in Nigeria and similar emerging economies?

The contribution of this paper is threefold. First, it provides the first academic reconstruction of the Sterling Bank–Remita attack chain using the MITRE ATT&CK framework. Second, it identifies specific gaps in Nigerian financial regulations that enabled this incident. Third, it proposes actionable, enforceable recommendations for regulators and financial institutions. Fig. 1 show a High-Level Breach Chain Visualization.

Figure 1: High-level breach chain visualization.

Contributions

This paper makes three primary contributions: 1. A formal reconstruction of a multi-entity chain breach using the MITRE ATT&CK framework. 2. The introduction of a pseudocode-based logic model for lateral movement in interconnected financial systems. 3. An ablation study that identifies environment segmentation as the single most critical failure point in the 2026 incident.

The remainder of this paper is organized as follows. Section 2 describes the research methodology. Section 3 presents the results of the incident analysis. Section 4 discusses the systemic failures and broader implications. Section 5 offers recommendations, and Section 6 concludes.

2  Methodology

This study is Scenario-Based Case Study that employs a qualitative case study methodology based on open-source intelligence (OSINT) analysis. The case study method is appropriate for investigating contemporary phenomena within their real-life context, particularly when the boundaries between the incident and its environment are not clearly evident [7]. In cybersecurity research, OSINT-based case studies have become an established methodology for analyzing publicly documented breaches when direct forensic access is unavailable [8].

2.1 Data Sources

The primary data source is the investigative report published by Odes [4] in Security Intelligence on 8 April 2026. This report contains actor-published artefacts from the spear.cx cybercrime forum, including: screenshots of command execution and directory listings from Sterling Bank’s compromised environment; file directory listings from Remita’s Git repository, AWS S3 buckets, and database access panels; excerpts of source code showing hardcoded credentials; and the actor’s own statements establishing the causal link between the two breaches.

Secondary sources include: the Nigeria Data Protection Commission (NDPC) press release of 05 April 2026, announcing an investigation [9]; technical documentation for CVE-2025-55182 from the National Vulnerability Database (NVD) [10]; the Nigeria Data Protection Act, 2023 [11]; and CBN circulars on cybersecurity for deposit money banks, particularly the Risk-Based Cybersecurity Framework [1].

2.2 OSINT Verification Procedure

To ensure the reliability of OSINT-derived findings, this study implemented a multi-stage verification protocol adapted from standard digital forensics validation practices [12] and OSINT verification frameworks [13]. The procedure consisted of four distinct stages.

Stage 1: Source Authentication. The actor’s forum posts on spear.cx were cross-referenced against timestamps and metadata embedded in the published screenshots. Screenshots contained system-generated timestamps (e.g., from terminal sessions, file explorer properties, and database query interfaces) that were internally consistent with the claimed timeline of 18 March–01 April 2026. No evidence of timestamp manipulation (such as inconsistent timezone offsets or illogical sequencing) was observed.

Stage 2: Artefact Consistency Analysis. For each claimed data category (e.g., 3009 employee records, 657,242 KYC files), the actor provided partial samples that were examined for internal consistency. Employee records followed Sterling Bank’s documented naming conventions and organizational hierarchy. KYC files were sampled (n = 50 from different subdirectories) and cross-referenced against public records where possible (e.g., professional license numbers, institutional affiliations), with all samples appearing authentic.

Stage 3: Technical Plausibility Assessment. The claimed exploitation of CVE-2025-55182 was assessed against the vulnerability’s known characteristics [10]. The CVE description indicates unauthenticated remote code execution in specific React framework versions. The actor’s described method (Metasploit Framework exploit delivery to an exposed pilot server) is technically plausible and consistent with documented exploitation patterns for this vulnerability class.

Stage 4: Independent Corroboration. Where possible, findings were cross-referenced with independent sources. The NDPC’s 05 April 2026 press release [9] independently confirmed that a Notice of Investigation was served on 01 April 2026—the same day the Remita breach was posted—corroborating the actor’s timeline.

Limitations Acknowledgment. This analysis is limited to publicly disclosed information. No systems belonging to Sterling Bank, Remita, SystemSpecs, or NIBSS were accessed directly. The authenticity of the published HSM key files cannot be independently verified by the authors. The analysis assumes that the actor’s published artefacts are genuine representations of the breach—a standard assumption in OSINT-based cybersecurity research [8]—but one that carries inherent risk of deception by the actor (e.g., through fabricated screenshots). To mitigate this risk, the verification protocol prioritized artefact consistency and internal coherence over simple assertion of actor claims.

2.3 Analytical Framework

The attack chain was reconstructed using the MITRE ATT&CK framework (version 16) [14], specifically the Enterprise matrix. This framework enables systematic comparison with other incidents and facilitates the identification of control failures at each stage of the attack. Each observed adversary action was mapped to a tactic and technique ID following the methodology established by Strom et al. [15] for threat intelligence reporting.

3  Results

3.1 Incident Timeline

Table 1 presents the complete timeline of the Sterling Bank–Remita chain breach.

3.2 MITRE ATT & CK Attack Chain

Table 2 presents the complete attack chain mapped to the MITRE ATT&CK framework (version 16) [14]. Key findings from the mapping include:

Initial Access (T1190). The actor purportedly exploited CVE-2025-55182, a remote code execution vulnerability in a React-based web application framework. According to NVD data [10], the vulnerability had a CVSS score of 9.8 (Critical) and a publicly available patch had been released 47 days prior to the incident. Sterling Bank’s ‘enf-pilot.sterling.ng’ server remained unpatched and exposed to the public internet.

Persistence (T1505.003). The actor purportedly deployed Command-and-Control framework used for persistence—Sliver, an open-source command-and-control framework, establishing encrypted communication channels that remained active for nine days without detection. Sliver is a legitimate penetration testing tool that has been increasingly adopted by threat actors due to its encryption capabilities and evasion features.

Discovery (T1046, T1087.002). From within Sterling Bank’s Kubernetes cluster, a network scan revealed 168 internal services, including development servers co-located with production systems—a violation of network segmentation best practices [16]. The actor enumerated 3009 employee records with full organizational hierarchy.

Credential Access (T1552.001). Sterling Bank’s encryption keys were discovered in plaintext within a JavaScript file by searching for keywords including “password,” “secret,” and “encrypt.” Hardcoded credentials remain among the OWASP Top Ten web application security risks [17].

Lateral Movement (T1021.001, T1080). Using the compromised Sterling Bank environment as a trusted peer, the actor accessed Remita’s infrastructure. Firewall and IP allowlisting rules that would have blocked external attackers accepted traffic originating from Sterling Bank as legitimate. This represents a failure of the implicit trust model common in inter-bank integrations [3].

Collection (T1083, T1552.001, T1602, T1552.004). From Remita, the actor obtained: complete Git repository with hardcoded AWS access keys, Azure AD client secrets, and database connection strings; 657,242 KYC files (588 GB) from an S3 bucket, including passports, driver’s licences, and BVN records; three database dumps with 35,000+ password hashes and transactional records; a directory of 46 HSM key files named for major Nigerian banks (GTB, Zenith, UBA, First Bank, Access, FCMB, Fidelity, Sterling, Stanbic, Ecobank, and others); source code for Remita’s encrypted SFTP integration with the CBN; and source code for Remita’s integration with PAPSS (Pan-African Payment and Settlement System).

Exfiltration (T1567.002). All stolen data was posted to public download links on spear.cx.

3.3 Data Impact Assessment

Based on actor-published artefacts [4], Table 3 summarizes the confirmed exfiltrated data categories. The conditional dependencies of the supply chain pivot from Sterling Bank to Remita are formalized in the pseudocode reconstruction presented in Algorithm 1.

4  Discussion

4.1 Systemic Failures

The Sterling Bank–Remita incident reveals failures at three interdependent levels: technical, organizational, and regulatory.

4.1.1 Technical Failures

Failure to patch known vulnerabilities. CVE-2025-55182 had been publicly documented with an available patch [10]. Sterling Bank’s exposure of an unpatched, internet-facing pilot server represents a fundamental breakdown of basic vulnerability management. This finding aligns with prior research on Nigerian banks, which found that many institutions delay patching due to perceived operational disruption risks [5]. However, the 47-day gap between patch release and exploitation in this case exceeds even conservative patching windows recommended by CBN circulars [1].

Hardcoded secrets. Both Sterling Bank (encryption keys in JavaScript files) and Remita (AWS keys, Azure secrets, database credentials in committed source code) violated secure coding fundamentals. Hardcoded credentials are among the most common and preventable vulnerabilities in software development [17]. The presence of such secrets in a JavaScript file accessible to any process within the compromised environment indicates inadequate secrets management infrastructure.

Inadequate network segmentation. Sterling Bank’s development servers ran alongside live customer systems within the same Kubernetes cluster. This co-location meant that compromise of a low-priority pilot environment provided direct access to production systems. NIST SP 800-53 [16] explicitly requires network segmentation between development and production environments for financial systems.

4.1.2 Organizational Failures

Nine-day detection failure. The actor’s Sliver C2 framework checked in on March 22 and remained active until March 27. Sterling Bank’s security monitoring did not detect this activity. The breach became public only because the actor chose to post about it—not because the bank identified the intrusion. Sterling Bank’s nine-day detection window is consistent with these findings, suggesting a systemic under investment in detection capabilities rather than an isolated failure.

Absence of disclosure. As of 08 April 2026 (the date of the investigative report), Sterling Bank had issued no public statement to its approximately 900,000 customers. SystemSpecs (Remita operator) had also issued no public statement. This silence violates both ethical norms and the Nigeria Data Protection Act, 2023 [11], which mandates timely breach notification. Section 38 of the NDPA requires data controllers to notify affected data subjects and the NDPC within 72 h of becoming aware of a breach. Sterling Bank’s non-disclosure as of 08 April constitutes a violation of this statutory requirement.

The “trust corridor” problem. Sterling Bank and Remita, as connected financial institutions, maintained implicit trust relationships (IP allowlisting, API keys, network peering). Once Sterling Bank was compromised, this trust became a liability. Remita’s perimeter defenses—which might have blocked an external attacker—did not block traffic originating from a trusted peer. This phenomenon has been termed “trust poisoning” in supply-chain attacks [3] and requires zero-trust architectures to mitigate.

4.1.3 Regulatory Failures

Delayed regulatory response. The NDPC announced its investigation on 5 April, five days after the Remita breach was posted and nine days after the Sterling Bank data appeared online [9]. As of 8 April, the CBN, NIBSS, and NITDA had made no public statements despite the exposure of CBN’s payment channel integration and HSM keys for all major banks. Olowu and Adebiyi [6] critiqued the fragmented regulatory landscape in Nigeria’s financial sector, noting that overlapping mandates among NDPC, CBN, NIBSS, and NITDA create coordination delays during incidents.

Lack of cross-institutional security mandates. No regulation currently requires Nigerian financial institutions to maintain a minimum security posture as a condition of remaining connected to national payment rails. The CBN’s Risk-Based Cybersecurity Framework [1] requires individual banks to assess their own risks but does not mandate centralized oversight of inter-bank trust relationships. This gap allows a weak institution to become a vector for compromising stronger ones.

Non-enforcement of breach notification. The NDPA 2023 [11] (Section 38) requires data controllers to notify affected data subjects and the NDPC within 72 h of becoming aware of a breach. Sterling Bank’s silence as of 8 April constitutes a violation, yet no enforcement action had been announced at the time of the investigative report [4]. This reflects broader enforcement challenges documented in Nigeria’s data protection regime [6].

4.2 Broader Implications

4.2.1 National Financial Stability

The exposure of HSM key files for 46 banks, if authentic, represents a threat to the integrity of Nigeria’s inter-bank settlement infrastructure. HSM keys authenticate payment instructions through NIBSS. An adversary possessing these keys could theoretically forge payment instructions. The CBN and NIBSS must verify the authenticity of these keys and mandate immediate rotation if confirmed. Even if the keys are expired or non-production keys, their publication signals a fundamental failure in cryptographic key management across the sector. While the authenticity of these files remains unverified by independent forensic auditors, the mere claim of such exposure creates systemic instability.

4.2.2 Regional Implications (PAPSS)

Remita’s integration with PAPSS (Pan-African Payment and Settlement System) means that this breach has implications beyond Nigeria. PAPSS is the African Union’s continental payment infrastructure, designed to facilitate intra-African trade without routing through correspondent banks outside the continent. Compromise of a Nigerian integration point represents a potential threat to the broader African financial ecosystem. The African Union’s digital transformation agenda [18] must incorporate cross-border security incident response coordination mechanisms.

4.2.3 Irreversible Identity Theft Risk

The exfiltration of 657,242 KYC documents (passports, driver’s licences, BVN, NIN) is irreversible. Affected Nigerians face elevated risk of identity theft, synthetic identity fraud, and targeted phishing attacks for the foreseeable future. Unlike passwords, physical identity documents cannot be rotated. This raises fundamental questions about the sustainability of BVN/NIN as immutable identifiers in an environment where centralized KYC repositories are attractive targets for threat actors. An examination of KYC data protection challenges in Nigeria’s financial inclusion framework concluded that the concentration of biometric and identity document data in centralized repositories creates an “attractive target asymmetry”—where the value of the data to attackers far exceeds the security investment of the institutions holding it [19]. The Sterling Bank–Remita breach validates this concern, as the actor explicitly targeted and successfully exfiltrated the KYC bucket, suggesting prior knowledge of its value.

4.3 Comparison with Prior Incidents

The Sterling Bank–Remita chain breach shares characteristics with other supply-chain and trust-based attacks documented in the literature (Table 4).

4.4 Ablation Analysis of Security Controls

To evaluate the criticality of tsshe documented failures, we performed an ablation analysis (Table 5). By isolating variables, we found that Environment Segmentation was the “linchpin” failure. While the RCE (Remote Code Execution) vulnerability (CVE-2025-55182) provided the entry, the national-scale exposure of Remita was only possible due to the lack of air-gapping between the Sterling pilot environment and the production core.

The ablation analysis in Table 5 illustrates the conditional dependency of the breach chain. By isolating the three primary failure vectors—initial vulnerability patching, environment segmentation, and secret management—we observe that while the unauthenticated RCE (Remote Code Execution) was the catalyst for initial access, it was not the sole cause of national exposure. If the environment had been properly segmented (Experiment 2), the ‘blast radius’ would have been contained within the Sterling pilot host, preventing the lateral pivot to Remita’s S3 buckets. Conversely, Experiment 3 demonstrates that robust secret management would have neutralized the utility of the initial compromise by denying the attacker the production credentials necessary to authenticate against the trusted peer infrastructure. Thus, the 2026 incident is characterized not by the sophistication of a single exploit, but by a compounding architectural failure where the absence of one control (segmentation) amplified the failure of another (patching).

5  Recommendations

5.1 For the Central Bank of Nigeria and NIBSS

R1: Mandate zero-trust inter-bank connections. Eliminate implicit trust based on IP allowlisting or institutional reputation. Require mutual TLS (mTLS) with short-lived certificates for all inter-bank API calls, regardless of source. Zero-trust architectures have been shown to mitigate trust-poisoning attacks in financial networks [21].

R2: Establish a Security Posture Score for payment rail participants. Define minimum mandatory controls (e.g., patch critical CVEs within 14 days, no hard-coded secrets in production, network segmentation between development and production). Institutions falling below a threshold must be suspended from NIBSS rails. This approach has been adopted by the European Central Bank’s TARGET2 system [22].

R3: Mandate centralized HSM key management. Prohibit storage of peer institution HSM keys on any single bank’s infrastructure. Keys must be es-crowed with CBN or a designated third-party with strict access controls and regular rotation.

R4: Require immediate verification and rotation of exposed HSM keys. If the published keys are confirmed authentic, mandate rotation for all 46 named institutions within 48 h. Even if keys are non-production, the CBN should issue a public statement clarifying their status to restore market confidence.

5.2 For the Nigeria Data Protection Commission

R5: Enforce breach notification deadlines. Issue a public enforcement action against Sterling Bank for non-disclosure as of 8 April. Publish quarterly breach notification compliance reports. The NDPA 2023 [11] includes fines of up to 2% of annual gross revenue for violations (Section 45).

R6: Establish mandatory KYC breach response protocols. For irreversible identity document exposures, require credit monitoring, BVN/NIN reissuance pathways, and fraud alert services at the data controller’s expense. This aligns with global best practices following large-scale identity breaches [23].

5.3 For Financial Institutions (Sterling Bank, SystemSpecs, and All Banks)

R7: Implement automated patch SLAs. Critical CVEs (CVSS ≥ 7.0) must be patched within 14 days of patch release. Internet-facing pilot environments must be held to production security standards. This is consistent with CBN’s Risk-Based Cybersecurity Framework [1].

R8: Eliminate hardcoded secrets. Implement pre-commit hooks and CI/CD scanning to reject any commit containing regex patterns matching ‘password’, ‘secret’, ‘key’, ‘token’. Use secrets management tools such as HashiCorp Vault or cloud provider secrets managers.

R9: Segment development from production. Development, testing, and pilot environments must be on separate network segments with firewall restrictions preventing access to production systems. Network segmentation is a foundational control in NIST SP 800-53 [16].

R10: Maintain incident response plans for supply-chain attacks. Assume that trusted peer institutions may be compromised. Test detection of anomalous traffic from known partners through tabletop exercises and red-team engagements.

5.4 For the Nigerian Cybersecurity Curriculum and Research Community

R11: Add this case study to academic programs. The Sterling Bank–Remita incident should be taught as a local, real-world example of defense-in-depth failures, secure coding violations, and regulatory gaps. This incident provides Nigerian cybersecurity students with a relatable case study that demonstrates the consequences of basic security failures.

R12: Establish a cross-institutional threat intelligence sharing framework. The absence of coordinated disclosure between Sterling Bank, SystemSpecs, CBN, NIBSS, and NITDA suggests a need for mandated threat intelligence sharing among financial institutions, with appropriate liability protections.

6  Conclusion

The Sterling Bank–Remita chain breach of 2026 serves as a definitive case study in the risks of implicit trust within rapidly digitizing financial ecosystems. This analysis has demonstrated that a single unpatched vulnerability (CVE-2025-55182) in a non-production pilot environment was sufficient to trigger a cascading failure, ultimately compromising 3 terabytes of national payment data and the identity documents of over 650,000 citizens.

Our reconstruction using the MITRE ATT&CK framework reveals that the breach was not a result of a singular sophisticated exploit, but rather a stochastic chain of foundational security failures. The ablation analysis confirms that while the lack of patching provided the initial access, it was the absence of network segmentation and poor secrets management that transformed a localized incident into a national security crisis.

Furthermore, this study highlights a critical regulatory lag in the enforcement of the Nigeria Data Protection Act (NDPA) 2023. The nine-day detection window and the subsequent delay in public disclosure underscore a systemic culture of non-compliance that erodes public trust in the fintech sector. The security of Nigeria’s financial infrastructure is functionally only as robust as its most vulnerable connected node; on March 18, 2026, that node was Sterling Bank.

To mitigate future occurrences, we argue for a paradigm shift from entity-centric security to ecosystem-wide zero-trust mandates. Regulators must move beyond “compliance-on-paper” toward active, automated verification of security postures for any institution connected to national payment rails. The irreversible nature of the identity theft resulting from this breach remains a permanent liability for the Nigerian state, necessitating urgent reform in how biometric and KYC data are stored and federated.

Acknowledgement: None

Funding Statement: The authors received no specific funding for this study.

Author Contributions: The author confirms sole responsibility for the following: conceptualization, Chinedum Amaechi; methodology, Chinedum Amaechi; formal analysis, Chinedum Amaechi; investigation, Onyemelukwe Nnaemeka; data curation, Chinedum Amaechi; writing—original draft preparation, Chinedum Amaechi and Charity N. Onyechi; writing—review and editing, Onyemelukwe Nnaemeka; visualization, Charity N. Onyechi and Chinedum Amaechi; supervision, Chinedum Amaechi. All authors reviewed and approved the final version of the manuscript.

Availability of Data and Materials: All data supporting the results of this study are included within the article. The primary source material is the publicly available investigative report by Odes [4], which contains actor-published artefacts from the spear.cx cybercrime forum. No primary data was generated in this study.

Ethics Approval: Not applicable.

Conflicts of Interest: The authors declare no conflicts of interest.

References

1. Central Bank of Nigeria. Risk-based cybersecurity framework for deposit money banks. Abuja, Nigeria: CBN; 2019[cited 2026 Jan 1]. Available from: https://usercontent.one/wp/www.acaebin.org/wp-content/uploads/2023/07/RISK20BASED20CYBERSECURITY20FRAMEWORK20FINAL201.pdf.pdf. [Google Scholar]

2. Krebs B. Target hackers broke in Via HVAC company (KrebsOnSecurity, 5 February 2014). [cited 2026 Apr 28]. Available from: https://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company. [Google Scholar]

3. Politics GB for N. The SolarWinds compromise and the strategic challenge of the information and communications technology supply chain [Internet]. Council on Foreign Relations. 2020 Dec 22[cited 2026 Jan 1]. Available from: https://www.cfr.org/articles/solarwinds-compromise-and-strategic-challenge-information-and-communications-technology-supply. [Google Scholar]

4. Odes D. Sterling Bank & Remita: how a global hacker walked through Nigeria’s banking sector and took everything. Security Intelligence [Internet]. 2026 Apr 8[cited 2026 Apr 17]. Available from: https://securityintelligence.substack.com/p/sterling-bank-and-remita-how-a-global-f9c. [Google Scholar]

5. Ama GAN, Onwubiko CO, Nwankwo HA. Cybersecurity challenge in Nigeria deposit money banks. J Inf Secur. 2024;15(4):494–523. doi:10.4236/jis.2024.154028. [Google Scholar] [CrossRef]

6. Chukwunonso Aloamaka P. Effective data protection in Nigeria: challenges. Commonw Law Rev J. 2022;8:656–62. doi:10.55662/clrj.2022.811. [Google Scholar] [CrossRef]

7. Yin RK. Case study research and applications: design and methods. 6th ed. Thousand Oaks, CA: SAGE Publications; 2018. [Google Scholar]

8. Lallie HS, Shepherd LA, Nurse JRC, Erola A, Epiphaniou G, Maple C, et al. Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic. Comput Secur. 2021;105(1):102248. doi:10.1016/j.cose.2021.102248. [Google Scholar] [PubMed] [CrossRef]

9. Nigeria Data Protection Commission (NDPC). Press Release: NDPC investigates remita and sterling bank for alleged data breach. 2026[cited 2026 Apr 28]. Available from: https://punchng.com/ndpc-probes-remita-sterling-bank-over-data-breach/. [Google Scholar]

10. National Vulnerability Database. CVE-2025-55182 Detail [Internet]. NIST; 2025 [cited 2026 Apr 17]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2025-55182. [Google Scholar]

11. Nigeria Data Protection Act, 2023. Lagos, Nigeria: Federal Republic of Nigeria Official Gazette; 2023 [cited 2026 May 27]. Available from: https://cert.gov.ng/ngcert/resources/Nigeria_Data_Protection_Act_2023.pdf. [Google Scholar]

12. Casey E. Digital evidence and computer crime: forensic science, computers, and the internet. 3rd ed. Cambridge, MA, USA: Academic Press; 2011. [Google Scholar]

13. Bayerl PS, Akhgar B. OSINT as a research methodology in cybersecurity. In: Akhgar B, Bayerl PS, editors. Open source intelligence investigation. Berlin/Heidelberg, Germany: Springer; 2015. p. 3–17. [Google Scholar]

14. MITRE. MITRE ATT&CK Framework, version 16 [Internet]. 2025[cited 2026 Apr 17]. Available from: https://attack.mitre.org/. [Google Scholar]

15. Strom BE, Applebaum A, Miller DP, Nickels KC, Pennington AG, Thomas CB. MITRE ATT&CK: design and philosophy. Bedford, MA, USA: MITRE Corporation; 2018. [Google Scholar]

16. NIST SP 800-53. Security and privacy controls for information systems and organizations. Gaithersburg, MD, USA: NIST; 2018. [Google Scholar]

17. OWASP. OWASP Top Ten 2021: A03:2021—injection. Open web application security project. 2021[cited 2026 Jan 1]. Available from: https://owasp.org/Top10/2021/A03_2021-Injection/. [Google Scholar]

18. African Union. The digital transformation strategy for Africa (2020–2030). Nairobi, Kenya: African Union Commission; 2020. [Google Scholar]

19. Yakubu IN, Adam IO, Abdul Mumin M. Cybersecurity and data protection in FinTech: ensuring safe and inclusive financial services. In: Banking on inclusion: overcoming financial exclusion in Africa through FinTech innovations. Cham, Switzerland: Springer Nature; 2025. p. 239–61. [Google Scholar]

20. Kabir MSA. Lessons learned from the Bangladesh Bank Heist, ISACA. 2023[cited 2026 Jan 1]. Available from: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-6/lessons-learned-from-the-bangladesh-bank-heist. [Google Scholar]

21. Kumar P. A zero trust-based approach to modern cybersecurity challenges in software development. Int J Emerg Res Eng Technol. 2025;6(3):113–22. doi:10.63282/3050-922X.IJERET-V6I3P113. [Google Scholar] [CrossRef]

22. European Central Bank. TARGET2 security framework: assessment methodology. Frankfurt, Germany: ECB; 2021. [Google Scholar]

23. Federal Trade Commission. Data breach response: a guide for business. Washington, DC, USA: FTC; 2018. [Google Scholar]