Cyber threat actors have recently exposed data purportedly from both private and public institutions in Nigeria, underscoring the growing need for stronger cybersecurity frameworks, proactive threat monitoring, and coordinated incident response measures.

But Digital Encode’s advisory highlights a troubling pattern: most recent cyber incidents are not driven by sophisticated zero-day exploits, but by preventable weaknesses in basic security configurations, credential management, and operational controls.

According to the advisory signed by Professor Obadare Adewale Peter, Chief Visionary Officer of Digital Encode Limited, attackers are increasingly exploiting misconfigured systems and publicly exposed assets, such as unsecured databases, open cloud storage buckets, leaked API keys, and critical servers exposed to the internet, many of which are easily discoverable through open repositories, cloud indexing tools, and even dark web marketplaces.

The advisory outlines critical areas of concern, including publicly accessible cloud storage exposing sensitive customer and operational data; hardcoded secrets in web and mobile applications, including API keys and tokens; leaked credentials in repositories and deployment artifacts; weak internal access controls and over-reliance on single authentication layers; exposure of administrative endpoints, API documentation, and development environments in production; uncontrolled use of Third-Party Hosting platforms such as Vercel, Netlify, and Render; poor token lifecycle management and weak authentication, inadequate vendor risk management and monitoring controls

Digital Encode noted that these vulnerabilities are widespread across organizations, particularly in financial institutions, payment service providers, Fintech companies and public sector platforms, where similar exposure patterns continue to recur.

Not a Technology Problem, But an Execution Gap

“Organizations affected in recent breaches were not compromised due to highly advanced attacks, but due to lapses in enforcing existing security controls, like, ensuring that no cloud resources linked to organizations whether AWS S3, Azure Blob, Google Cloud Storage, or Firebase allow anonymous access, Verify that no cloud credentials or API tokens are exposed in public or private repositories, container registries or deployed applications, and all external and internal APIs must enforce authentication and authorization controls at all times” Prof. Obadare stated.

The advisory stresses that most of these risks can be mitigated with readily available tools and best practices, underscoring a critical gap between security policy and implementation.

Urgent Actions Recommended

Digital Encode has called on organizations to act immediately by conducting a comprehensive audit of all internet-facing assets, including third-party systems; revoking and rotating all exposed or potentially compromised credentials including passwords, API keys, and access tokens; reviewing historical logs to assess the extent of any prior exploitation; engaging vendors to address third-party security exposures; fixing identified misconfigurations and validating remediation efforts; strengthening monitoring, logging, and threat detection systems; and documenting remediation steps and residual risks for governance and compliance.

The firm also emphasized the need for improved visibility into shadow IT and unauthorized deployments tied to employees’ accounts, which increasingly serve as entry points for attackers.

Call for Proactive Security Posture

Digital Encode reiterated its commitment to supporting organizations through enterprise-wide security assessments and independent validation of implemented controls.

“We strongly advise that this advisory be actioned without delay,” Prof Obadare warned, adding that proactive security hygiene, not reactive response, will determine resilience in Nigeria’s evolving threat landscape.

Digital Encode Limited is a trusted cybersecurity advisory firm specializing in information security, digital trust, and GRC services. The company supports organizations across sectors in strengthening their security posture and achieving regulatory compliance.

The engagement, which brought together media partners covering technology, business, and governance, was aimed at strengthening journalists’ understanding of Nigeria’s evolving data protection and privacy ecosystem, in order to improve the quality, accuracy, and responsibility of reporting on data-related issues.

Speaking virtually at the event, Dr Vincent Olatunji, the national commissioner and chief executive officer of the NDPC, commended the media for its sustained support in advancing public awareness of data protection and privacy, describing the press as a critical stakeholder in the Commission’s mandate.

NDPC at the training session:

Olatunji emphasised the growing economic and social importance of data protection in Nigeria, noting that effective regulation is not only about safeguarding citizens’ rights but also about enabling trust in the digital economy.

He highlighted key milestones recorded by the Commission since its establishment, including the creation of approximately 23,000 jobs and the expansion of a data protection ecosystem now valued at about ₦16.2 billion.

According to him, these gains underscore the sector’s rising contribution to national economic growth, particularly as businesses, public institutions, and digital service providers increasingly prioritise data compliance and privacy safeguards.

The NDPC boss also disclosed that the Commission was named the Most Outstanding Data Protection Authority at the Picasso Awards last year, a recognition he said reflects its growing credibility and impact both locally and internationally.

He urged journalists to continue supporting the Commission’s efforts through informed reporting and sustained public engagement.

The capacity-building session exposed participants to core concepts underpinning data protection and privacy regulation, including the principles of personal data processing, lawful bases for data processing, and the regulatory considerations surrounding cross-border data transfers.

Other discussions focused on emerging privacy risks, compliance obligations for organisations, and the media’s role in shaping public understanding of data rights.

Organisers said the workshop forms part of the NDPC’s broader strategy to deepen stakeholder collaboration and build institutional capacity across sectors, as Nigeria positions itself as a trusted digital economy under the Nigeria Data Protection Act.

Industry observers say the initiative highlights the increasing intersection between data governance, media responsibility, and economic development, particularly at a time when digital technologies are reshaping business models and public services across the country.

Dr. Olatunji will speak on the topic, “Privacy, Compliance, and the Future of Gaming: Building Unity in a Decentralized Regulatory Era.”

His presentation is expected to highlight the vital role of data protection and cybersecurity in Nigeria’s growing and diverse gaming landscape.

Speaking on the significance of Dr. Olatunji’s participation, Prince Arinze Arum, executive secretary of the Enugu State Gaming and Lotto Commission, said:

“The presence of the NDPC at this year’s conference demonstrates the convergence between digital trust and responsible gaming. As gaming becomes increasingly technology-driven, issues of data privacy, cybersecurity, and regulatory compliance must take center stage. We are confident that Dr. Olatunji’s insights will set a new benchmark for operators and regulators alike.”

The 2025 edition of the conference is themed “From Unification to Diversification: Shaping Nigeria’s Gaming Future”, and aims to explore how a fragmented regulatory system can still thrive through collaboration, innovation, and adherence to national data protection standards.

Vanessa Ayogu, conference executive at Events Arcade Solutions Limited, emphasized the strategic value Dr. Olatunji (NDPC boss) brings to the Enugu Gaming Conference:

“Our theme this year challenges stakeholders to embrace diversity while seeking synergy. With Dr. Olatunji’s keynote, we are anchoring that conversation on the role of data governance as a unifying force. His address will not only spotlight the NDPC’s expectations but also empower regulators and gaming businesses to stay secure and compliant in this decentralized era.”

The Enugu Gaming Conference 2025 is set to feature a cross-section of gaming operators, regulators, technology providers, legal experts, investors, and policymakers. Attendance is expected from across Nigeria’s six geopolitical zones, making it one of the country’s most diverse and forward-looking gaming industry gatherings.