0

By Osasome, C.O

CAC Confirms Cybersecurity Breach

Nigeria’s business registry has suffered a major cybersecurity incident after the online database of the Corporate Affairs Commission (CAC) was compromised by a dark web hacker known as ByteToBreach. The same actor had earlier claimed responsibility for a breach involving customer data on the Remita payment platform.

RELATED: CAC’s AI-driven platform transforms business registration in Nigeria

The incident has once again highlighted persistent vulnerabilities across state-controlled digital platforms in Nigeria.  Many of these store vast volumes of sensitive citizen and corporate data.

In a statement released on Wednesday, the CAC confirmed  the incident.

“A cybersecurity incident involving unauthorised access to limited aspects of its information systems,”it stated.

According to the Commission, its internal response protocols were immediately activated, with support from the National Information Technology Development Agency (NITDA) and other relevant government partners to assess the scope and impact of the breach.

ADVERTISEMENT

“Appropriate containment measures have been implemented, and additional safeguards are in place,” the statement said.

The CAC also advised users to monitor their records on the CAC portal, update login credentials, and remain cautious of unsolicited communications.

Extent of the Hacking and Data Exposure

The hacker behind the attack has reportedly been targeting sensitive online databases by exploiting systemic vulnerabilities. On March 31, the same actor claimed responsibility for breaching Remita’s know-your-customer (KYC) database, publishing samples of personally identifiable information.

In the CAC breach, the attacker allegedly accessed a wide range of documents submitted during business registrations. Investigations indicate that the compromised data may include:

  • Password repositories
  • Court affidavits and company resolutions
  • Handwritten signatures
  • National identity cards and voter cards
  • International passports and passport photographs

These documents are core requirements for registering companies, businesses, and non-governmental organisations in Nigeria.

CAC suggested that only a fraction of its systems was affected. But cybersecurity analysts warn that the nature of the exposed data poses serious risks. Evidence suggests the hacker actively sells institutional databases to cybercriminal networks. This increases the likelihood of impersonation, fraud, blackmail, and identity theft.

ADVERTISEMENT

Implications for Nigeria’s Corporate Data Security

Nigeria currently has over four million registered business entities.  Reports indicate that the CAC processed about 2.5 million registrations between January and February 2024 alone. Since July 2025, the Commission has reportedly processed more than 10,000 registrations daily following the adoption of AI-driven workflows.

This scale means thousands of Nigerians submit sensitive personal and corporate data to the CAC every day. By law, it places enormous responsibility on the agency to safeguard that information.

As a central institution in Nigeria’s business ecosystem, any compromise of CAC systems has far-reaching consequences for investor confidence, corporate integrity, and economic stability.

Investigation and Regulatory Oversight

Following the earlier Remita-related breach, the Nigeria Data Protection Commission (NDPC) announced it had launched an investigation into the leak operator and affected organisations.

On April 5, the NDPC stated:
“The Nigeria Data Protection Commission is carrying out an investigation into an alleged data breach involving Remita Payment Services Ltd., Sterling Bank and other entities.”

While the current status of that investigation remains unclear, the CAC incident opens a new front for regulatory scrutiny. This could expand the scope of NDPC’s enforcement actions under the Nigeria Data Protection Act (NDPA).

Key Implications of the CAC Breach

According to commentary from the SBTS Security Operations Centre (SOC) in Abuja, the reported scale of the breach—estimated at up to 750GB of data—poses severe systemic risks:

  • Exposure of Corporate Signatures: Claims suggest signatures belonging to nearly 25% of registered entities may have been compromised, raising the risk of document forgery and unauthorized filings.
  • Identity Theft and Fraud: Leaked records contain directors’ personal data, creating opportunities for targeted phishing, impersonation, and financial fraud.
  • Systemic Financial Risk: Stolen CAC credentials could potentially be used to access interconnected government and financial platforms, amplifying the impact across sectors.
  • Regulatory Sanctions: If investigations reveal inadequate safeguards, the CAC could face sanctions or fines under the NDPA.

Immediate Actions Recommended for Businesses

Cybersecurity experts and the CAC advise all registered entities and individuals to take urgent precautions:

  • Update Credentials: Change login passwords on the CAC registration portal immediately.
  • Monitor Records: Regularly review company filings for unauthorized changes or suspicious activity.
  • Stay Alert: Treat unsolicited emails, calls, or messages claiming to be from the CAC with extreme caution, as they may be phishing attempts.

A Growing Cyber Threat Landscape in Africa

Analysis by SBTS SOC indicates that organisations across Nigeria and Africa will continue to face increasingly sophisticated, AI-driven cyberattacks. Financial services, oil and gas, and public-sector platforms remain prime targets, with Nigeria ranking among the most attacked countries in Africa between 2024 and 2025.

Key challenges include weak internal security controls, limited access to skilled cybersecurity professionals, and the rapid pace of digital transformation outstripping regulatory enforcement.

As digitalisation accelerates, cybersecurity is no longer just an IT concern—it has become a critical issue of national economic security and business sustainability.

More in News

You may also like