What to Do in the First 24 Hours After a Data Breach in Nigeria

A data breach in Nigeria is not a matter of if. It is a matter of when. And when it happens, the decisions you make in the first 24 hours determine whether the incident stays manageable or spirals into a regulatory, financial, and reputational crisis.

The Nigeria Data Protection Act (NDPA) requires organisations to notify the NDPC within 72 hours of becoming aware of a data breach. That timeline is tighter than most businesses realise, especially when you are simultaneously trying to understand what happened, contain the damage, and keep operations running.

This guide walks through exactly what to do, hour by hour, when your business suffers a data breach. Whether it is a ransomware attack, an employee error, a compromised database, or a third-party vendor incident, the response framework is the same.

Hour 0-2: Confirm and Contain the Data Breach

The first priority is confirming that a breach has actually occurred and stopping it from getting worse. Not every security alert is a breach, but every alert deserves rapid investigation.

Activate your incident response team. If you do not have a formal team, designate the most senior IT person and a business decision-maker to lead the response. Every minute spent figuring out who is in charge is a minute the breach continues.

Contain the breach immediately. This might mean disconnecting affected systems from the network, revoking compromised credentials, blocking suspicious IP addresses, or shutting down a vulnerable application. The goal is to stop the bleeding, not to fix the underlying problem yet.

Do not turn off affected systems or wipe any data. You will need forensic evidence to understand the scope of the breach and to satisfy regulatory requirements. Powering down a server can destroy volatile memory that contains critical evidence.

Hour 2-6: Assess the Data Breach Scope

Once containment measures are in place, you need to understand what happened and what data was affected. This assessment drives every subsequent decision, from regulatory notification to customer communication.

Determine the answers to these questions as quickly as possible:

• What type of data was compromised? (personal data, financial records, health data, credentials)
• How many individuals are affected?
• How did the breach occur? (external attack, insider error, vendor compromise, system vulnerability)
• Is the breach still ongoing or has it been contained?
• Was the data encrypted? If so, were the encryption keys also compromised?
• Is there evidence the data has been exfiltrated, published, or sold?

Document everything. Timestamps, actions taken, people involved, systems affected. This documentation will be essential for the NDPC notification and any subsequent investigation.

Hour 6-12: Engage Data Breach Response Resources

Most SMEs do not have the internal capability to conduct a full forensic investigation. This is the point where you need to decide whether to bring in external help.

A cybersecurity incident response firm can help with digital forensics, malware analysis, and determining the full extent of the compromise. If the breach involves potential criminal activity, consider engaging law enforcement through the Nigeria Computer Emergency Response Team (ngCERT) or the EFCC’s cybercrime unit.

Notify your legal counsel. The NDPA creates specific legal obligations around breach notification, and getting legal advice early helps you navigate the regulatory requirements without making mistakes that could increase your liability.

If your business has cyber insurance, notify your insurer. Most policies have strict notification requirements, and delayed notification can void your coverage.

Hour 12-24: Report Your Data Breach to the NDPC in Nigeria

The NDPA requires breach notification to the NDPC within 72 hours of becoming aware of the breach. You do not need to wait until your investigation is complete to begin preparing this notification.

Your NDPC notification should include:

• A description of the nature of the breach
• The categories and approximate number of data subjects affected
• The categories and approximate number of personal data records affected
• The name and contact details of your Data Protection Officer or contact person
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its effects

If you do not have complete information at this stage, provide what you know and indicate that the notification will be supplemented with additional details as they become available. An incomplete but timely notification is far better than a complete but late one.

Hour 12-24: Assess Whether to Notify Affected Individuals

The NDPA requires that data subjects be notified when a breach is likely to result in a high risk to their rights and freedoms. In practical terms, this means notifying individuals affected by the data breach when:

• Financial data was compromised (bank details, payment card numbers)
• Authentication credentials were exposed (passwords, security questions)
• Sensitive personal data was involved (health records, biometric data)
• The data could be used for identity theft or fraud

Your notification to individuals should be written in clear, plain language and should explain what happened, what data was affected, what you are doing about it, and what steps they should take to protect themselves (such as changing passwords or monitoring financial accounts).

Do not hide behind legal language or minimise the severity. Transparency builds trust. Evasiveness destroys it.

Within 24 Hours: Internal Communication

Your staff need to know what is happening. Employees who are uninformed will speculate, and that speculation can leak externally in ways you cannot control.

Brief relevant staff on the situation, what the company is doing about it, and what they should and should not say if asked about it by customers, partners, or media. Give them a clear escalation point for any questions or concerns.

If customer-facing teams are likely to receive enquiries, prepare a brief response script that is honest, empathetic, and directs people to the appropriate contact for more information.

The Mistakes That Make Breaches Worse

Having responded to breaches across multiple organisations, certain patterns consistently make a bad situation worse:

Delaying because you want complete information. The 72-hour clock does not pause while you investigate. Notify the NDPC with what you know and update them as you learn more.

Attempting to handle everything internally. Unless you have a dedicated security operations team, you need external expertise for forensic analysis. Amateur investigations can destroy evidence and miss critical indicators of compromise.

Communicating too late or too little with affected individuals. People whose data has been compromised have a right to know so they can protect themselves. Learning about a breach from the media or from a fraudulent transaction is far more damaging to your relationship than hearing it from you directly.

Not having a plan in the first place. The single biggest predictor of how well an organisation handles a breach is whether they had a documented, rehearsed incident response plan before it happened. Improvising during a crisis is how mistakes get made.

After the First 24 Hours

The first day is about containment, assessment, and notification. The work that follows is about remediation, recovery, and prevention.

Complete your forensic investigation to understand exactly how the breach occurred. Remediate the vulnerability or gap that was exploited. Review and update your security controls. Conduct a lessons-learned exercise with your incident response team. Update your incident response plan based on what you learned.

If the breach was significant, consider engaging a third-party security firm to conduct a broader assessment of your security posture. The vulnerability that was exploited is rarely the only one.

Build Your Response Plan Before You Need It

If reading this guide made you realise that your business does not have a documented breach response plan, that is the single most important thing you can fix today. A plan that exists on paper and has been rehearsed will save you hours of confusion and poor decisions when a real incident occurs.

At QuotientSec, we help Nigerian businesses build incident response plans that are practical, testable, and aligned with NDPA requirements. We also provide incident response services for organisations that need immediate help managing an active breach.

Not sure how prepared your business is for a data protection incident? Take our free NDPA Compliance Scorecard to assess your current readiness, or contact us to discuss building a response capability that fits your business.