Sterling Bank Had A Known Vulnerability On A Test Server. They Didn't Fix It. 900,000 Customers Are Paying The Price.

Your website has the same kind of vulnerabilities right now. Here is how to find out, in under 10 minutes and for free.

The short version of what happened

On March 18, 2026, someone sent one request to a Sterling Bank testing server. The server had a known security problem that had been public for three months. The patch existed. Nobody had installed it.

Nine days later, the attacker had access to three terabytes of Sterling Bank's data, including passport scans, driver's licenses, national ID cards, and utility bills belonging to roughly 900,000 customers. From there, they pivoted into Remita, the payment processor that handles Nigerian government salaries. The attack did not require Remita to have any flaw of its own; Sterling's own developers had stored Remita's passwords in a plaintext file inside an internal code repository.

On April 1, the Nigerian Data Protection Commission (NDPC) served Sterling Bank and Remita with a Notice of Investigation. As of this writing, most Sterling customers still do not know their data was stolen.

For the technical breakdown, the exact vulnerability, the six-factor pattern, the infrastructure math, we wrote that up last week: How Sterling Bank Got Breached And Why 60% Of Nigerian Enterprises Are Next. That one is for CTOs and security leads.

This one is for you. The person who runs a small business in Nigeria and is reading this on your phone and wondering if any of this matters for you.

It does. Here is why.

You are not Sterling Bank. You are also not safe.

The attack on Sterling Bank was not sophisticated. The word we keep seeing in the post-mortems is "known." Known vulnerability. Known class of misconfiguration. Known pattern of leaked credentials. None of it was novel. All of it was preventable.

That means every one of the same failures lives somewhere on smaller websites across Lagos, Abuja, Port Harcourt, and beyond. Not in the same volume, a shop that sells hair extensions has less to lose than a bank, but in the same structural pattern. If you are running a Nigerian business with any web presence, there is a near-certain chance that your site has at least one of the exact categories of problems that broke Sterling.

The good news: the ones you have are cheaper to fix than Sterling's because your footprint is smaller. The bad news: they are just as easy for an attacker to find, and they often sit there for months or years before anybody notices.

Here are the three most common patterns, explained in plain English.

Pattern 1. The forgotten page

Sterling's breach started on a testing server. Nobody on the current team owned it. Nobody remembered it was still connected to the internet. The original developer had moved on. The box sat there collecting dust and running outdated software, until one morning it didn't.

Your business has the small-business version of this. It might be an old WordPress site your previous developer set up in 2019 that nobody has logged into since. It might be a subdomain you stopped using when you rebranded, something like old.yourshop.com or staging.yourshop.com, that your DNS still points to a half-configured server. It might be a copy of your site you set up on Cloud A when you were thinking of switching from Cloud B, and then you switched back and forgot to delete.

Whichever version you have, the pattern is identical to Sterling's. The forgotten thing is still there. It is still reachable from the public internet. It is still running the software it had when you last touched it. If that software has a known problem, and the internet has a lot of known problems, somebody can find it and use it, and you will not know until the damage is done.

How to check yours: the free scan at securva.net will flag subdomains that are assigned but don't host a real site, and pages that expose default installer screens or admin panels that should not be public.

Pattern 2. The credential in a code folder

This is the one that killed Remita. Sterling's own code repository, the folder where their developers store the instructions that run their bank, had a file in it. That file had Remita's production passwords written out in plain text. When the attacker broke into Sterling, they found that file, took the passwords, and walked straight into Remita.

For a small Nigerian business, the version of this is a .env file, or a config.js file, or a Paystack_keys.txt file sitting in the same GitHub repository as your website code. Sometimes it is your developer's personal GitHub account. Sometimes it is your own GitHub organization. We have found live Paystack keys, Flutterwave keys, Monnify keys, and Supabase service tokens in Nigerian business repositories in the last 30 days. The people who own those businesses have no idea.

If any of this sounds unfamiliar, the thing to understand is this: anything your developer commits to a public GitHub repository is visible to the entire internet, forever, including the old versions after they think they deleted it. If they committed your Paystack key on day one and only "removed" it on day ten, the version with the key in it is still there and can still be read.

How to check yours: the Securva Snapshot, launching this week at securva.net/snapshot for $29 USD (or ₦30,000), includes a scan of your business's public GitHub footprint for 50+ categories of credential patterns. This is the same scanner we use to find Nigerian fintech leaks every week.

Pattern 3. The missing lock on the front door

Sterling's attack escalated through several stages, but the one every visitor to a Nigerian website sees every day is the simplest: HTTP Strict Transport Security (HSTS). This is a small configuration setting that tells your visitor's browser "always come in through the encrypted door." Without it, somebody sitting on the same Wi-Fi as your customer, at MTN Eko Hotels, at an airport, in a co-working space, can intercept the connection, downgrade it to unencrypted, and watch what your customer types.

Missing HSTS does not, by itself, cause a Sterling-sized catastrophe. But it is the reliable sign of a site that has not been configured by someone who cared about security. And the sites that do not bother with HSTS are the same sites that forget to decommission subdomains and leave credentials in their code folder. One weak spot is a marker for the others.

How to check yours: the free scan at securva.net grades your site against 42 security checkpoints in 30 seconds. HSTS is one of the first ones it looks at. You get a letter grade, A through F, with a specific list of which headers you have and which you do not.

What happens if you find problems

First: do not panic. Most Nigerian SMEs score F on the free scan, and the reason is that nobody has ever set this stuff up for them. The absence of security headers is not evidence of neglect. It is the default state of the internet for anyone who was not told about them.

Second: there are three levels of response and they correspond to three levels of budget.

Free path. Take the scan results to your current developer. A competent web developer can fix HSTS, CSP, and the common header issues in about an hour of work. Sometimes it is one line of code or one change in a hosting dashboard. This costs you nothing if you already have a developer; it costs you about ₦15,000 if you need to hire a one-off freelancer for the hour.

Cheap path. Buy the Securva Snapshot when it launches later this week ($29 or ₦30,000). You get the full 12 to 20 page PDF that walks through every issue, what it means, what it costs to fix, and which Pejji tier corresponds to the implementation work if you want us to handle it. Delivery is automated and the report lands in your email within 24 hours. This is the self-serve option.

Done-for-you path. Hire Pejji at the Card tier (₦60,000). We rebuild your site from scratch on our secure stack, give you a clean handoff, and the NDPA compliance, the security headers, the encrypted transit, and the monitoring all come built in. That is ₦60,000 one-time, your site is live in 48 hours, and you never have to think about HSTS again.

All three paths are valid. The one that is not valid is doing nothing.

The NDPC is not going to wait

The Nigerian Data Protection Commission served Sterling Bank in April. They served 649 Nigerian universities in February. They served 35 insurance companies and 392 insurance brokers in 2025. The cascade is moving through sectors at a visible, predictable pace: banking first, then education, then payments, then, based on signals from the NDPC's published priorities and the NCC's parallel 48-hour breach-notification directive for telecom, telecom, healthcare, and e-commerce are next.

If you run a Nigerian business in any of these sectors, your Notice of Investigation is not an if. It is a when. And the first thing NDPC will ask to see is your Data Protection Impact Assessment, your Records of Processing Activity, your privacy policy, and your technical security controls. If any of those are missing or weak, you are on the receiving end of the same fine schedule that has already hit banks and universities.

The point of the free Securva scan is not to sell you a product. It is to let you see, in 30 seconds, where you stand. Whatever grade you get, you now know. That is a better place to be than the one Sterling Bank's 900,000 customers are in right now.

The 10-minute action

1. Go to securva.net on your phone or desktop.
2. Paste your website URL.
3. Hit scan.
4. Read your grade.
5. If it is anything below B, copy the issue list.
6. Send it to your developer. If you do not have one, reply to hello@securva.net and we will tell you what the first three fixes cost to outsource.

That is it. The scan is free. There is no signup. There is no newsletter trap. There is no upsell gate. There is a letter grade and a list and a path to get to a better one.

Sterling Bank had three months to install their patch. They did not. You have right now.

This is part 2 of our Sterling Bank post-mortem series. Part 1 (technical deep-dive for CTOs + security leads) covers the six-factor pattern, the infrastructure math, and what every Nigerian enterprise should audit first. Part 3 (the sector cascade, targeting telecom, healthcare, and e-commerce) is in production and will publish early May.