We Mapped 95 Nigerian Organizations' Infrastructure. 4 Sectors Are One Breach Away.

Over the last month we have been running a structured infrastructure-mapping exercise across Nigerian enterprises and government agencies. As of today, our dataset covers 95 organizations across six active sectors: banking, fintech, telecom, healthcare, government, and e-commerce. 1,180 live hosts enumerated. 756 unique IPs mapped to ASN ownership.

The pattern is consistent enough to describe in one sentence: most Nigerian enterprises still do not turn on the security header that was invented in 2012 to stop exactly the attack that just hit Sterling Bank.

This post is the public version of the finding. Free, specific, and honest. If you run infrastructure for a Nigerian SME, a bank, a fintech, or an HMO, the data below tells you where your peers stand and where the attacker's path of least resistance currently runs.

The one header that matters, and what it does

HSTS (Strict-Transport-Security) is a tiny line a server returns on every response. It tells the user's browser: from now on, always connect to me over HTTPS, never plain HTTP, for at least N seconds.

Without HSTS, every time a user types your URL, or clicks a link from Google, Twitter, or an email, the first hop is unencrypted HTTP. Any attacker on the same Wi-Fi can intercept that first hop and either serve a fake login page, silently redirect to a malicious clone domain, or inject scripts that exfiltrate session cookies on every subsequent page. This exact attack class, SSL stripping, is how attackers routinely pivot into banks, HMOs, and government accounts.

It is a 2009-era attack. The fix, HSTS, has been standard since 2012. Turning it on is one line of server config. No cost. No complexity.

And as of today, here is what 95 Nigerian organizations look like.

Healthcare is the worst performer

We mapped four Nigerian healthcare organizations. Two of them run zero HSTS across their entire infrastructure.

A patient looking up their health record on Hygeia HMO's portal over a hotel Wi-Fi today can have their entire session hijacked by the person two tables over. At 54 subdomains with zero HSTS, this is not one-page oversight. It is infrastructure-wide policy absence.

Under the NDPA 2023, health data is classified as sensitive personal data. A breach via an SSL-stripping attack on a session-token-exposed portal triggers NDPC reporting obligations within 72 hours and statutory damages exposure. One line per host to fix. About 30 minutes of operator time across 54 hosts.

Government: the two biggest regulators fail their own guidance

These are the bodies that publish cybersecurity guidance and regulate other organizations' compliance. Their own infrastructure, at 5 to 6 percent HSTS coverage, is more vulnerable than most Nigerian SMEs. Not a dig. Just the gap between published policy and deployed infrastructure, which is where attackers live.

Banking: front-doors hardened, everything else exposed

The top four Nigerian banks map to 874 subdomains total, of which roughly 65 percent lack HSTS. Access Bank's front-door domain has the best coverage at 40 percent. The rest is a long tail of subdomains, internal tools, legacy portals, staging environments with leaked default paths, and vendor-integration endpoints, that run over raw HTTPS but do not enforce it.

Pattern: main front-doors are hardened. Everything behind them is not. That is where a determined attacker pivots. Not the bank's marketing site, but the forgotten dev-api.bank.example.com.ng or vendor-portal.bank.example.com.ng.

Middle of the pack: e-commerce and fintech

Fintech is a mixed story. The big rails, Paystack, Flutterwave, Monnify, are not in our top-15 by host count yet, but our prior research has surfaced live credential leaks across this sector and we continue to monitor. Kuda at 25 percent is neither top nor bottom. Typical.

The second pattern: legacy stacks still serving production traffic

Beyond HSTS, we flag the presence of legacy ASP.NET / IIS stacks on production hosts. Our scan found nine organizations running legacy-signature ASP.NET on public-facing infrastructure.

Legacy IIS is not inherently broken. But these are the exact signatures of infrastructure running IIS 6, 7, or 7.5 and ASP.NET Web Forms from 2010 to 2015. CVE backlogs on these versions run into the hundreds, many with published exploits. Running them on internet-exposed hosts in 2026 means CVEs from 5+ years ago are sitting unpatched.

This pairs with the HSTS gap. Many of those same legacy hosts also lack HSTS. Combined, an attacker on the same Wi-Fi as the user can downgrade the connection, exploit a 2012-era ASP.NET vulnerability, and harvest session tokens. Which is how Sterling Bank got breached. Per our prior breach analysis, the attacker's entry was a test server running an unpatched IIS vulnerability accessible over plain HTTP. Sterling was not unique. Our data suggests they were median.

Why we are publishing this

It is fixable. Unlike many security findings, HSTS is literally one line of server config per domain. A weekend of operator time would move all 95 organizations in our dataset above 80 percent HSTS coverage.

The regulatory landscape changed. NDPC is now doing sector-by-sector enforcement audits. Banking was first, payments second. Education was third. Healthcare, telecom, and government are next in rotation. Organizations that fail basic header checks in a public audit will face material fines. This is not speculative. We track the enforcement cascade.

Our paid Snapshot product needs credibility. We sell a $10 to $99 audit that runs this scan against a single organization and delivers a PDF report with specific remediation steps. For the product to work, we need to prove our data model is real. Publishing aggregate findings, honest and specific, is how we do that.

What to do if you run infrastructure for any of these sectors

1. Check your own HSTS coverage. Free: curl -sI https://yourdomain.com | grep -i strict. Should return strict-transport-security: max-age=31536000; includeSubDomains.
2. If missing, add one line to your server config. For Cloudflare Pages or Vercel, use _headers or vercel.json. For nginx: add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; in every server block.
3. Repeat across every subdomain. The attackers do not go through your main domain. They pivot through the unloved ones.
4. If you want us to do it for you, our Snapshot product runs 42 security checks including HSTS coverage, NDPA 2023 gaps, GitHub credential scan, and shadow-subdomain enumeration. Delivered within 24 hours.

The bottom line

Nigerian enterprises are not being attacked by sophisticated nation-state actors. They are being attacked by routine opportunistic scripts that require a 2012-era protection gap to function. That gap exists across four sectors we have measured, and it is one weekend of operator time away from being closed.

If you run one of the 95 organizations in our sample and want the specific findings for your infrastructure, email [email protected]. Free to you. Faster than a formal audit. No public disclosure attached.