By 
By Osasome, C.O
NDPC Opens Formal Investigation into CAC Cybersecurity Breach
Pursuant to Section 46(3) of the Nigeria Data Protection Act, 2023, the Nigeria Data Protection Commission (NDPC) has commenced a formal investigation into a reported data breach at the Corporate Affairs Commission (CAC). The move underscores the Commission’s commitment to protecting personal data and sustaining trust in Nigeria’s rapidly expanding digital economy.
RELATED: CAC database breach: Hackers access sensitive corporate records, exposing Nigeria’s cybersecurity gaps
The NDPC expressed concern over increasingly sophisticated cyber threats, noting that malicious actors now deploy advanced techniques such as large-scale data exfiltration and cross-platform compromise across interconnected digital systems.
CAC Confirms Cyber Incident Affecting Digital Infrastructure
The CAC confirmed on April 15, 2026, that it experienced a cybersecurity incident involving unauthorised access to parts of its digital infrastructure.
Although the Commission described the breach as affecting “limited aspects” of its systems, emerging reports suggest that data linked to millions of registered Nigerian companies may have been exposed.
As an immediate response, the CAC has activated containment measures and is working closely with the National Information Technology Development Agency (NITDA) to assess the scope, scale, and potential impact of the incident.
Key Facts About the CAC Data Breach
- Confirmation Date: April 15, 2026
- Nature of Incident: Unauthorised access by sophisticated threat actors, including possible large-scale data exfiltration
- Regulatory Response: NDPC launched a formal investigation on April 17, 2026, under Section 46(3) of the Nigeria Data Protection Act, 2023
- Current Status: Containment measures in place; joint technical assessment ongoing with NITDA
NDPC Focus Areas in the Ongoing Probe
The NDPC’s investigation is examining several critical aspects of CAC’s data protection and cybersecurity framework, including:
- Access Control Mechanisms: Evaluation of user and administrator access privileges
- Vulnerability Assessment and Penetration Testing (VAPT): Identification of system weaknesses and exploit paths
- Third-Party Compliance: Due diligence and security audits of external partners and data processors
- Data Protection Processes: Review of Data Privacy Impact Assessments and incident response procedures
Guidance for CAC Users and Stakeholders
In the interim, company owners and stakeholders are advised to take proactive security measures, including:
- Updating Login Credentials: Change passwords used on the CAC portal immediately
- Monitoring Corporate Records: Regularly review company details for unauthorised modifications
- Exercising Vigilance: Be cautious of unsolicited emails, phone calls, or messages purporting to originate from the CAC
Regulatory Assurance and Public Trust
As part of broader regulatory support measures, the National Commissioner and CEO of the NDPC, Vincent Olutunji, has directed the Commission’s technical teams to engage relevant authorities and key institutions to further reinforce safeguards for personal data processing across government platforms.
In a statement signed by Babatunde Bamigboye, Head of Legal, Enforcement and Regulations at the NDPC, the Commission reaffirmed that Nigeria’s data protection frameworks remain fundamentally strong, supported by growing access to data-driven services nationwide.
Strengthening Confidence in Nigeria’s Digital Economy
The NDPC emphasised that its ongoing intervention is a necessary regulatory step. It is aimed at sustaining public confidence in digital services and encouraging continued investment in Nigeria’s digital economy.
The Commission reaffirmed its commitment to enforcing data protection standards while supporting innovation, economic growth, and secure digital transformation across public and private sectors.
