The Lagos Fintech Breach

You are the newly appointed Data Protection Officer of QuickSend, a Lagos-based mobile money platform with 850,000 registered users. QuickSend is a Data Controller of Major Importance under the NDPA 2023.

It is 11:47pm on a Wednesday. Your IT team has just discovered that a misconfigured API endpoint has exposed the following data for approximately 14,000 QuickSend users: full names, phone numbers, BVN numbers, and account balances for the past 90 days.

The exposure has been active for an estimated 72 hours. The team has now closed the endpoint. No evidence of data exfiltration has been confirmed yet, but it cannot be ruled out.

You have five decisions to make in the next 30 minutes. What do you do?