How to Report a Data Breach in Nigeria Online 2026: NDPC Portal Steps, 72‑hour NDPA Rule, Who Must Notify, Penalties and Evidence to Include

If you need to know how to report a data breach in Nigeria online, the primary route is the Nigeria Data Protection Commission (NDPC) breach‑reporting portal at services. ndpc. gov. ng/breach, where data controllers must lodge a formal notification within 72 hours of becoming aware of the incident. The Nigeria Data Protection Act (NDPA) imposes this strict window on every organisation that controls or processes personal data of individuals in Nigeria, and the NDPC has steadily intensified its enforcement posture throughout 2025 and into 2026. Beyond the NDPC, parallel reporting obligations may extend to the Nigeria Police Force National Cybercrime Centre (NPF‑NCCC), the Nigeria Computer Emergency Response Team (ngCERT), banks and, in certain cases, the Central Bank of Nigeria (CBN).

This guide gives in‑house counsel, data protection officers and compliance teams a complete, step‑by‑step workflow, from internal triage through portal submission, data‑subject notification, evidence preservation and post‑breach engagement with the regulator.

Key takeaways at a glance:

• Primary channel: Submit your report through the NDPC breach portal and retain the submission reference number.
• Statutory deadline: The NDPA 72‑hour rule starts when you become aware of the breach, not when the breach occurred.
• Parallel reporting: Report to the NPF‑NCCC if a crime is suspected; engage ngCERT for technical incident response; notify affected data subjects where the risk to them is high.

Quick Compliance Decision: What You Must Do Now

Before reading further, answer these three questions to determine your immediate obligations when a personal data breach is detected:

1. Does the incident involve personal data of individuals in Nigeria? If yes, the NDPA applies. Proceed to Step 2.
2. Is there a risk of harm to data subjects, financial loss, identity theft, reputational damage or physical safety? If yes, you must notify the NDPC within 72 hours and notify the affected data subjects without undue delay.
3. Is a criminal act suspected, hacking, insider fraud, ransomware extortion? If yes, file a parallel report with the NPF‑NCCC and consider engaging ngCERT for incident response support.

If your answer to Question 1 is yes and either Question 2 or 3 is also yes, your organisation should activate its incident‑response plan immediately, preserve all forensic evidence and begin preparing its NDPC portal submission. Every hour counts toward the 72‑hour window, so the compliance decision should be made within the first few hours of detection.

NDPA 72‑Hour Rule: Data Breach Notification Requirements in Nigeria

What Triggers the NDPA Notification Obligation

Under the Nigeria Data Protection Act, a personal data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data that is transmitted, stored or otherwise processed. The obligation to notify the NDPC arises whenever such a breach is likely to result in a risk to the rights and freedoms of data subjects. Common trigger events include:

• Leaked or exposed user credentials (email/password dumps).
• Unauthorised access to databases containing customer records, health data or financial information.
• Ransomware attacks that exfiltrate or encrypt personal data.
• Accidental publication of sensitive records, for example, a misconfigured cloud storage bucket.

If the breach is unlikely to result in any risk to data subjects, for instance, encrypted data was briefly exposed but the encryption keys were not compromised, notification may not be required. However, the controller must document this risk assessment and be prepared to justify the decision to the NDPC if challenged.

How to Calculate the 72‑Hour Clock

The NDPA 72‑hour rule begins when the data controller becomes aware of the breach, the moment your organisation has a reasonable degree of certainty that a security incident has compromised personal data. This is distinct from the moment the breach actually occurred.

Example 1, Immediate detection: A security operations centre (SOC) alert flags unauthorised database access at 14:00 on Monday. The 72‑hour clock starts at 14:00 Monday and expires at 14:00 Thursday.

Example 2, Delayed discovery: An anomaly is spotted on Wednesday but the internal forensics team does not confirm personal data exposure until Friday at 09:00. The clock starts at 09:00 Friday and expires at 09:00 Monday.

Exceptions and the Reasonable Excuse Concept

The NDPA acknowledges that a full picture may not be available within 72 hours. Where notification is delayed beyond the deadline, the controller must provide reasons for the delay alongside the report. Acceptable grounds may include ongoing law‑enforcement investigations that would be compromised by early disclosure, or complex forensic analysis required to determine the scope of personal data affected. A delay justified solely by reputational concern or commercial convenience is unlikely to satisfy the NDPC. The safest approach is to file an initial report within the 72‑hour window, even if incomplete, and submit supplementary information as it becomes available.

Who Must Notify in a Data Breach in Nigeria: Controllers, Processors and Third Parties

Understanding data breach notification requirements in Nigeria starts with identifying the responsible entity. The NDPA distinguishes between data controllers (entities that determine the purposes and means of processing) and data processors (entities that process data on behalf of controllers). Each has distinct obligations following a breach.

A data controller bears the primary duty to report to the NDPC and to notify data subjects. A data processor must inform the controller without undue delay upon becoming aware of a breach, ideally within hours, and provide the controller with all forensic evidence needed for the NDPC submission. If a controller fails to act, the processor should consider whether it must escalate the matter directly to the NDPC to fulfil its own regulatory duties. Third parties such as sub‑processors or vendors are bound by their contractual obligations and should have immediate‑notification clauses in their data‑processing agreements.

Step‑by‑Step: How to Report a Data Breach in Nigeria Online via the NDPC Breach Portal

The NDPC breach portal is the official online channel through which data controllers submit breach notifications. The following ten‑step workflow covers the full process, from internal triage to post‑notification record‑keeping.

1. Triage internally and contain the incident. Isolate compromised systems, revoke affected credentials and activate your incident‑response team. Preserve all evidence, do not wipe logs or rebuild servers until forensic snapshots have been taken.
2. Identify and document the incident facts. Record the date and time of detection, the systems affected, the types of personal data involved (names, financial data, health records, identification numbers) and the estimated number of data subjects impacted.
3. Log and preserve forensic evidence. Collect server logs, endpoint detection and response (EDR) snapshots, email communications, access‑control records and any relevant screenshots. These will form the evidentiary attachments for your NDPC submission.
4. Access the NDPC breach portal. Navigate to services.ndpc.gov.ng/breach and prepare to complete the submission form. The portal requests the following core fields: incident title, incident description, date and time of the breach, date and time of detection, number of data subjects affected, categories of personal data compromised, and mitigation steps already taken or proposed.
5. Complete the portal form with precision. Write a clear incident narrative structured in three parts: (a) a factual summary of what happened, (b) immediate containment actions taken, and (c) planned remediation and next steps. Avoid speculation, state what is confirmed and flag areas still under investigation.
6. Upload evidence attachments. Attach supporting documents in PDF or common file formats. Use a clear naming convention, for example, IncidentTimeline_CompanyName_YYYYMMDD.pdf, so the NDPC can process your submission efficiently.
7. Record the submission reference number and contact the NDPC. After submitting through the portal, note the reference number. Follow up via the NDPC contact channels listed on ndpc.gov.ng/contact to confirm receipt, particularly if the breach is high‑severity or affects a large number of data subjects.
8. Notify other relevant bodies. If a criminal offence is suspected, file a report with the NPF‑NCCC. If the breach involves critical national infrastructure or requires technical incident‑response assistance, engage ngCERT. If financial data or banking credentials are compromised, notify the affected banks and consider informing the CBN.
9. Notify data subjects where the risk is high. The NDPA requires controllers to notify data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms. Use clear, plain language, avoid legal jargon, and explain what data was affected, what the organisation is doing about it and what steps individuals can take to protect themselves.
10. Complete post‑notification actions. Conduct a full forensic review, implement permanent remediation measures, update your data‑protection impact assessment and provide periodic updates to the NDPC as requested. Retain all breach documentation for a minimum of six years, as NDPC investigations may open well after the initial notification.

Suggested Attachments and File Naming Conventions

Parallel Reporting: NPF‑NCCC, ngCERT, Scamwatch, Banks and Financial Regulators

Reporting a data breach to the NDPC does not discharge all of an organisation’s reporting obligations. Where a criminal act is suspected, hacking, phishing, insider fraud or ransomware extortion, a separate report should be filed to report a cyber security incident in Nigeria through the NPF‑NCCC e‑reporting portal at nccc.npf.gov.ng. The NPF‑NCCC coordinates with law enforcement to investigate cybercrime and can issue preservation orders for digital evidence.

For technical incident‑response support and ngCERT incident reporting, organisations should contact the Nigeria Computer Emergency Response Team via cert.gov.ng. ngCERT assists with containment, malware analysis and sector‑wide threat intelligence sharing, particularly useful for attacks on critical infrastructure.

Consumer‑facing fraud that overlaps with data breaches, for example, phishing campaigns impersonating a brand, may also be reported through Scamwatch Nigeria and the police cybercrime reporting form on services.gov.ng. Where banking data or financial transactions are compromised, the affected financial institution and, in systemic cases, the CBN should be informed. Industry observers expect cross‑regulator coordination to become more formalised as the NDPC and sector regulators align their enforcement frameworks.

Evidence to Include: Preservation Checklist and Sample Response Timeline

The quality and completeness of evidence submitted with an NDPC breach report can significantly influence the regulator’s assessment of your organisation’s response. At a minimum, the NDPC will expect the following documentation:

• Incident timeline: A chronological record from the moment the breach occurred (if known) through detection, containment and notification.
• System and access logs: Server logs, application logs and authentication records demonstrating the attack vector or cause of exposure.
• Forensic report summary: A technical analysis covering root cause, data types exposed, estimated volume of affected records and scope of impact.
• List of affected data categories: Names, email addresses, phone numbers, financial details, national identification numbers, health data or any special‑category data.
• Mitigation steps taken: Documentation of containment actions, credential resets, system patches and monitoring enhancements.
• Internal root‑cause statement: An honest assessment of the control failures or vulnerabilities exploited.
• Copies of all communications: Internal escalation emails, data‑subject notifications sent and correspondence with third‑party vendors or processors.

Sample internal response timeline:

• Day 0: Breach detected → incident‑response team activated → systems isolated → evidence preservation begins.
• Day 0–1: Internal triage completed → scope of personal data exposure assessed → preliminary NDPC report drafted.
• Day 1–3 (within 72 hours): NDPC portal submission lodged → submission reference obtained → NDPC contacted to confirm receipt.
• Day 3–7: Data‑subject notifications dispatched (if high risk) → parallel reports to NPF‑NCCC/ngCERT filed where applicable.
• Day 7–14: Follow‑up update submitted to NDPC with supplementary forensic findings → permanent remediation plan implemented.

Penalties for Data Breach in Nigeria: Enforcement Risk and Mitigation Strategies

The NDPC possesses broad enforcement powers under the NDPA, including the authority to issue compliance directions, impose administrative fines and, in serious cases, refer matters for criminal prosecution. Penalties for data breach in Nigeria can be substantial, the NDPA provides for fines calibrated to the severity of the breach, the number of data subjects affected, the degree of negligence and whether the controller cooperated with the investigation. The NDPC has signalled that failure to notify within the statutory window, poor security practices and repeat non‑compliance are its top enforcement priorities.

Early indications suggest that the NDPC is increasingly willing to use its enforcement powers, with investigations initiated on both complaint‑driven and proactive bases. Organisations that self‑report promptly, demonstrate genuine remediation and cooperate fully with the regulator are likely to receive more favourable outcomes than those that delay, conceal or downplay incidents.

Key mitigation strategies:

• Notify early: File within the 72‑hour window even if your report is incomplete, supplementary information can follow.
• Document everything: A thorough forensic report and clear evidence trail demonstrate good faith and due diligence.
• Cooperate with the NDPC: Respond to information requests promptly, provide periodic updates and attend any meetings scheduled by the regulator.
• Implement permanent remediation: Show the NDPC that the root cause has been addressed, not just the symptoms, update policies, patch systems, retrain staff and revise processor agreements.
• Review and update your data‑protection framework: Use each breach as an opportunity to strengthen your organisation’s overall compliance posture and reduce future risk.

Practical Templates, Short Notices and Internal Checklist

Short NDPC Submission Narrative (Template)

Subject: Data Breach Notification, [Organisation Name], [Date of Detection]

Paragraph 1, Incident Summary: On [date], [Organisation Name] detected a security incident involving [brief description, e.g., unauthorised access to a customer database]. The incident affected approximately [number] data subjects and involved the following categories of personal data: [list, e.g., names, email addresses, phone numbers, financial details].

Paragraph 2, Immediate Actions: Upon detection, [Organisation Name] immediately [isolated affected systems / revoked compromised credentials / engaged a forensic investigation team]. The breach has been contained and no further unauthorised access has been detected since [date/time of containment].

Paragraph 3, Remediation and Next Steps: [Organisation Name] is implementing the following remediation measures: [list, e.g., system patches, enhanced monitoring, password resets, staff retraining]. Affected data subjects are being notified. We will provide the NDPC with a supplementary report containing full forensic findings by [target date].

Data Subject Notification Template (Short)

Subject: Important Notice About Your Personal Data, [Organisation Name]

Dear [Data Subject / Customer],

We are writing to inform you that [Organisation Name] experienced a data security incident on [date] that may have affected your personal information, including [specify data types, e.g., your name, email address and phone number]. We have taken immediate steps to contain the incident, including [brief summary, e.g., securing affected systems and resetting access credentials]. We have notified the Nigeria Data Protection Commission.

We recommend that you [specific protective actions, e.g., change your passwords, monitor your bank statements and be vigilant for suspicious communications]. If you have questions, please contact our data protection team at [email / phone number].

Internal Evidence Checklist (Quick Copy)

• Incident detection date, time and method of discovery
• Affected systems and data repositories identified
• Categories and volume of personal data compromised
• Server logs, EDR snapshots and forensic images preserved
• Internal escalation and decision‑making log compiled
• NDPC portal submission reference number recorded
• Data‑subject notification copy retained
• Parallel reports (NPF‑NCCC / ngCERT / banks) documented
• Root‑cause analysis completed and remediation plan drafted
• All records filed for minimum six‑year retention

Conclusion

Knowing how to report a data breach in Nigeria online is no longer optional, it is a core compliance obligation for every organisation that handles personal data in the country. Act within the 72‑hour window, use the NDPC breach portal as your primary reporting channel, preserve forensic evidence meticulously and notify data subjects promptly when risks are high. For guidance tailored to your organisation’s specific circumstances, consult a qualified data protection lawyer.

Sources

1. NDPC, Data Breach (NDPC Information Management Portal)
2. NDPC, Contact / Official Site
3. Nigeria Data Protection Commission (Main Site)
4. NPF, National Cybercrime Centre (NPF‑NCCC) E‑Reporting Portal
5. ngCERT (Nigeria Computer Emergency Response Team)
6. nigeriadataprotection.com, Guidance Post