A new legal research paper has raised concerns about the growing risk of data breaches and cybersecurity threats in Nigeria’s oil and gas sector.
Authored by data protection lawyer, Lynda Ugo Ezike, the paper warns that the sector’s increasing digitization has made it vulnerable to cyberattacks, surveillance, and legal issues related to the misuse or unauthorized access to sensitive data.
Ezike argues that poor data governance could put Nigeria’s critical economic sector at significant risk.
Titled “The Significance of Data Protection and Information Security in Nigeria’s Oil and Gas Industry: Legal Considerations,” the report delves into how oil and gas companies in Nigeria, while adopting technologies like cloud computing, artificial intelligence, and IoT, are not fully complying with the data protection obligations outlined by Nigerian law.
“Nigeria’s oil and gas companies are now classified as data controllers and processors of major importance under the Nigeria Data Protection Act (NDPA) 2023. This means they face stricter regulatory obligations, and failure to comply could attract fines of up to N10 million or 2% of their annual gross revenue,” Ezike wrote in the paper.
Given the sector’s significant contribution to government revenue, exports, and GDP, the report warns that any data breach or cybersecurity incident could have far-reaching consequences for the economy.
Citing a 2021 cyberattack on the Nigerian National Petroleum Corporation, where hackers encrypted sensitive operational data and demanded a ransom, the paper highlights the growing vulnerability of Nigeria’s energy assets.
The report also cites other notable incidents, such as the Colonial Pipeline ransomware attack in the United States, which disrupted fuel supplies and triggered congressional inquiries, as well as data breaches involving Saudi Aramco and Canadian energy firms that resulted in multi-million-dollar losses.
Although Nigeria has made progress with the enactment of the NDPA and the establishment of the Nigeria Data Protection Commission, the paper points out that current oil and gas regulations—especially the Petroleum Industry Act (PIA) 2021—only address customer data.
This leaves other critical categories, such as employees, contractors, and host communities, inadequately protected.
“The PIA references data protection in Section 164, but its scope is limited to customer information in midstream and downstream operations,” Ezike explains. “This leaves a gap for upstream activities and broader data subject categories.”
The report advocates for the development of sector-specific data protection regulations, arguing that a one-size-fits-all approach does not account for the operational complexities and varying data sensitivity across the upstream, midstream, and downstream segments of the oil and gas industry.
The report identifies eight key areas where oil and gas companies are particularly vulnerable to data breaches and legal liabilities.
According to the paper, each of these areas involves the collection, storage, processing, or transfer of personal data—activities that are now legally regulated under the NDPA.
To prevent significant data protection failures, the report recommends several compliance and governance strategies.
These includes: including: The development of industry-specific data protection guidelines in partnership with the NDPC; Adoption of third-party data processing agreements with vendors and contractors; Staff training on data privacy rights and breach protocols.
Others are: Implementation of annual data audits, privacy impact assessments, and use of privacy-enhancing technologies; and
Certification through recognized schemes such as ISO 27701 or BBBOnline.
The report further stresses the need for oil and gas companies to establish clear incident response plans and appoint Data Protection Officers to ensure ongoing compliance and accountability.
