CAC breach exposes Nigeria’s cybersecurity gaps

Nigeria’s fragile cybersecurity landscape has been laid bare following a massive breach at the Corporate Affairs Commission (CAC), where hackers stole and leaked more than 15 million sensitive company documents.

The attack, linked to the ransomware group ByteToBreach, is not just another cyber incident. It reveals deep structural weaknesses in how Nigeria secures its digital infrastructure, especially as the country accelerates its transition to a digital economy.

In total, the attackers reportedly accessed about 25 million files, amounting to roughly 750GB of data. To confirm the breach, they released screenshots documenting every stage of the operation, from initial system access to complete administrative control. One screenshot, labelled “GOV_BETRAYAL,” appeared to mock the government’s inability to protect sensitive national data.

What the Attack Reveals About Nigeria’s Cybersecurity

The CAC breach highlights a critical issue: Nigeria’s digital growth is outpacing its cybersecurity readiness.

Rather than a highly complex intrusion, evidence suggests the attackers exploited existing weaknesses poor system configurations, outdated software, and weak internal controls. In essence, the breach reflects a system that lacked strong defensive layers.

Cybersecurity experts say this is a pattern across many Nigerian institutions, where:

Security is often treated as an afterthought
Systems are deployed without long-term maintenance plans
Staff lack adequate training in data protection

The result is a digital ecosystem that is expanding rapidly but remains dangerously exposed.

A Critical Database Compromised

The CAC serves as Nigeria’s official registry for all businesses. Its database contains:

Company ownership structures
Directors’ information
Legal identities
Beneficial ownership records

More than 15 million of the leaked files contain detailed, high-value information, not just basic records.

This data plays a central role in financial transparency and regulatory enforcement. Banks, courts, and investigators rely on it to verify ownership and track financial activity.

A system security expert, DeMayor, explained the significance:

“When a bank conducts due diligence on a corporate client, it checks the CAC. When a court needs to establish legal ownership of a company, or when the EFCC investigates fraud or a contract dispute, they rely on this same register.”

With that system now compromised, the integrity of these processes faces serious risk.

Impact on Anti-Money Laundering Efforts

The breach comes at a time when Nigeria has been under pressure to strengthen its fight against financial crimes.

The CAC had been leading reforms to improve transparency, including identifying and handing over suspected fake company registrations to the Economic and Financial Crimes Commission (EFCC).

The goal was to build a reliable database that clearly shows who owns and controls businesses.

That effort has now suffered a major setback.

With access to detailed company structures, criminals can:

Clone legitimate businesses
Create sophisticated shell companies
Carry out identity theft
Execute financial fraud schemes

Experts warn that the breach effectively gives bad actors a blueprint of Nigeria’s formal economy.

A Pattern of Systemic Attacks

The CAC breach is part of a wider pattern of attacks targeting Nigeria’s most critical digital systems.

In recent weeks, the same group has:

Claimed access to 900,000 customer accounts at Sterling Bank
Breached Remita, a key government payment platform

The Remita incident reportedly resulted from a misconfigured cloud storage system, an error that exposed large volumes of data without requiring advanced hacking techniques.

These cases point to a consistent problem: human error and weak system management remain major vulnerabilities.

Rising Cyber Threats Across Nigeria

Nigeria is already facing significant cyber pressure.

Reports indicate that organisations in the country experience around 4,700 cyberattacks every week. A global study also recorded a 115% increase in attacks on financial institutions, with African banks among the most targeted.

Between 2019 and 2025, cybercrime cost Nigeria more than $3 billion, with annual losses estimated at $500 million.

These figures highlight the growing scale of the threat and the urgent need for stronger defences.

Experts Point to Structural Failures

Cybersecurity professionals say the CAC breach reflects deeper systemic issues.

According to analysts, Nigeria’s approach to digital development often prioritises innovation over security. Systems are launched quickly, but security frameworks, staff training, and maintenance are neglected.

Security researcher Gabriel Odusanya noted that while digital systems are expanding, security capacity is not keeping up.

Other experts pointed to:

Outdated infrastructure
Weak hiring practices
Insufficient investment in cybersecurity talent

Some also warned that political considerations sometimes override technical expertise in key appointments, weakening overall system resilience.

Government Response and Regulatory Actions

Following the breach, the CAC shut down its company registration portal to contain the damage and warned users about potential phishing attempts.

The Nigeria Data Protection Commission has launched a full investigation and issued a nationwide advisory.

The commission urged organisations to adopt stronger security measures, including:

Multi-factor authentication (MFA)
Regular software updates
Data encryption
Vulnerability testing
Secure cloud management
Appointment of trained data protection officers

It also emphasised the need for a “zero trust” security approach, where no user or system is automatically trusted.

Growing Concerns Ahead of 2027 Elections

The breach has raised alarms about the security of other critical systems, particularly those belonging to the Independent National Electoral Commission (INEC).

Experts warn that election infrastructure such as result transmission platforms and voter verification systems could become targets.

Any successful attack on these systems could undermine public trust in the electoral process.

A Broader Pattern Beyond Nigeria

The threat is not limited to Nigeria.

The same group has reportedly targeted international systems, including government infrastructure in Sweden and financial institutions in South Africa. This suggests a highly capable actor with global reach.

For Nigeria, however, the repeated attacks indicate that its systems may be seen as easier targets due to weaker protections.