Web Security Lab

We’ve published Volume I of our ByteToBreach campaign analysis: a full technical post-mortem of the Sterling Bank Plc breach. This report reconstructs the complete attack chain from initial access (March 18, 2026) through to the Cardinal Stone pivot.

It is free, open, and published at websecuritylab.org/sterling-bank-…

5. 3,009 employee records enumerated via an unauthenticated API endpoint. 6. Cardinal Stone Partners’ investment database accessed via phpMyAdmin with no network isolation. The report is written for security professionals, CISOs, incident responders, and regulators.

We’ve published Volume I of our ByteToBreach campaign analysis: a full technical post-mortem of the Sterling Bank Plc breach. This report reconstructs the complete attack chain from initial access (March 18, 2026) through to the Cardinal Stone pivot.

You can read more here: websecuritylab.org/coordinated-su…

The affected subdomains were used for SEO spam hosting and redirect-based monetisation infrastructure for an extended period prior to remediation. We found no evidence of intrusion into core NIMC systems. Internal impact assessment remains the responsibility of NIMC.

Web Security Lab has identified and documented coordinated subdomain abuse affecting multiple hosts under the National Identity Management Commission (NIMC) domain namespace.

The incident was identified and responsibly disclosed. Following escalation to the authoritative DNS operator, the affected subdomain was taken offline. 📝 Read the full report here: websecuritylab.org/wp-content/upl…

Hundreds of indexed pages were identified, generating search visibility under a trusted government domain and increasing the likelihood of public exposure.

Web Security Lab has published a technical incident report on a subdomain takeover involving the Nigeria Police Service Commission website infrastructure.

From all of us at Web Security Lab, we wish everyone a Merry Christmas and a safe, secure, and uninterrupted holiday season.

As a certified cybersecurity professional, Jack brings emerging professional capability to Africa’s growing cybersecurity workforce. He represents a new generation of practitioners supporting secure digital growth across the continent.

Big congratulations to @Cy_berJack, one of our Fellows, on passing the CompTIA Security+ certification. Jack is a Fellow of the Web Security Lab Professional Security Fellowship, a structured program focused on developing practical security capability & professional readiness.

Mariam Ibrahim, a corps member, was arrested in October 2025 after the Nigerian Police claimed that a number tied to a January 2024 kidnapping case was linked to her National Identity Number (NIN). There was just one obvious problem: she bought the SIM card in April 2025. I spoke to The Punch Newspaper about how Nigeria’s MSISDN lifecycle management allows new SIM owners to inherit the digital footprint and criminal exposure of previous owners, and why our identity verification infrastructure needs stronger procedural safeguards around number reassignment and investigative protocols. punchng.com/marked-identit…

That’s why conversations like this matter, and why we’re proud to contribute our voice to the broader ecosystem work shaping Africa’s digital future and strengthening a safer, more accountable internet for everyone.

This Saturday, our Founder David Odes joins industry leaders at the Global Data Protection Tech Summit in Lagos. Stronger digital ecosystems grow when people understand how their data is collected, used, and protected—and when organisations act responsibly.

Building cybersecurity capacity begins with people. A stronger, safer digital Africa starts with education and collaboration.

ISO 27701:2025 separates privacy from security. The update removes the need for ISO 27001 certification, allowing independent privacy certification. With strengthened governance and leadership requirements, businesses can now adapt more easily. websecuritylab.org/what-every-bus…