The Corporate Affairs Commission (CAC) of Nigeria has confirmed a Cybersecurity breach involving unauthorised access to portions of its digital systems, triggering widespread concern among businesses, stakeholders, and the general public. In an official public notice released on Wednesday, the commission acknowledged the incident and outlined its swift response to mitigate potential risks.
Key Takeaways:
• Cyber Hackers Hit Nigerian Corporate Affairs Commission gaining access to a Large Database of “Highly Sensitive” Business Information
• The Nigerian Corporate Affairs Commission (CAC) is the sole Nigerian National Body tasked with registration and Incorporation of Businesses in the Country
• CAC officials say the Condition is now under control and releases detailed guidelines for Businesses to follow
Details of the Cybersecurity Incident
According to the statement, the breach was limited in scope, affecting only specific aspects of the commission’s information systems rather than the entire infrastructure. The CAC emphasised that it is actively reviewing the cybersecurity incident to determine the full extent of the unauthorised access.
The CAC, which serves as Nigeria’s primary regulatory body for company incorporation, business name registration, and the maintenance of the national corporate registry, plays a pivotal role in the country’s economic ecosystem. With millions of registered entities relying on its online portal for filings, searches, and compliance activities, any disruption or compromise to its systems raises serious questions about data security and operational continuity.
“The Corporate Affairs Commission (CAC) is currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems,” the notice stated. This measured language suggests that while the intrusion was detected and contained early, the agency is exercising caution to avoid speculation while investigations proceed.
Snapshot of Official Statement confirming the Cyber Attack from the Nigerian Corporate Affairs Commission (CAC) – Source CAC (X )
The commission promptly activated its internal incident response protocols. It is collaborating closely with the National Information Technology Development Agency (NITDA), other relevant government bodies, and strategic partners to thoroughly assess the scope, potential impact, and any vulnerabilities exploited during the breach.
Containment measures were implemented immediately, and additional security safeguards have been strengthened to protect the integrity of the systems moving forward. The notice reiterated: “The Commission promptly activated its response protocols and is working with NITDA, relevant government agencies and partners to assess the scope and impact. Appropriate containment measures have been implemented, and additional safeguards are in place.”
Context Within Nigeria’s Broader Cybersecurity Challenges
This incident occurs against a backdrop of escalating cyber threats across Nigeria’s digital landscape. In recent months, reports have highlighted a surge in cyber attacks targeting financial institutions, fintech platforms, government agencies, and private sector organisations. Analysts note that Nigerian entities have faced thousands of weekly attack attempts, with government systems often prime targets due to the sensitive nature of the data they hold.
Picture depicting a CyberHacker while in Acton
The CAC manages critical corporate data, including company profiles, director information, share structures, and compliance records for millions of businesses. Unauthorised access could potentially expose personal identifiable information (PII), financial details, or proprietary business documents if the breach extended beyond initial assessments. Although the official notice described the impact as limited, unverified claims circulating online have alleged a much larger-scale exfiltration of documents by a threat actor, underscoring the need for transparent and thorough investigation.
Nigeria’s digital economy has grown rapidly, driven by initiatives such as the National Digital Economy Policy and the push for electronic company registration through the CAC portal. However, this expansion has also increased the attack surface for cybercriminals.
Common tactics in the region include ransomware, phishing campaigns, supply-chain attacks, and state-sponsored or financially motivated intrusions. The involvement of NITDA in the response aligns with its mandate to coordinate national cybersecurity efforts and enforce data protection standards under the Nigeria Data Protection Act.
Advice to Stakeholders and Precautionary Measures
In light of the ongoing review, the CAC has urged all stakeholders including registered companies, business owners, legal practitioners, and portal users to exercise heightened vigilance. Key recommendations include:
- Regularly monitoring their records and filings on the CAC portal for any unauthorised changes or suspicious activity.
- Immediately updating login credentials with strong, unique passwords and enabling multi-factor authentication (MFA) where available.
- Remaining cautious of any unsolicited communications, such as emails, SMS, or calls claiming to be from the CAC or related to the incident, which could be phishing attempts aimed at harvesting further credentials or personal data.
- Avoiding clicking on suspicious links or downloading attachments from unverified sources.
The notice advised: “While the review is ongoing, stakeholders are advised to monitor their records on the CAC portal, update login credentials, and remain cautious of unsolicited communications.”
These steps are standard best practices in incident response but are particularly crucial here, given the potential for secondary attacks that often follow high-profile breaches. Experts recommend that users also review their broader digital hygiene, such as scanning devices for malware and being wary of social engineering tactics that exploit public awareness of the incident.
Reassurance and Commitment to Security
Despite the breach, the CAC sought to reassure the public and the business community of its unwavering commitment to safeguarding Nigeria’s corporate registry. The agency pledged to provide timely updates as more information becomes available from the ongoing investigation.
“CAC remains committed to the security and integrity of Nigeria’s corporate registry and will provide updates as necessary,” the statement concluded.
This reassurance is vital because the CAC’s database underpins key economic activities, including access to credit, government contracts, foreign investment compliance, and anti-money laundering efforts. Any perceived weakness in its systems could erode confidence in Nigeria’s business environment at a time when the country is actively promoting ease of doing business reforms.
Broader Implications and the Way Forward
Cybersecurity incidents like this highlight systemic challenges in Nigeria’s public sector digital infrastructure. Many government agencies are undergoing digital transformation, but legacy systems, resource constraints, and a shortage of skilled cybersecurity professionals can create exploitable gaps. The federal government has been working on initiatives such as establishing a National Cybersecurity Coordination Council and introducing a comprehensive national framework to address rising threats, including AI-powered attacks.
For the CAC specifically, the breach may accelerate plans to enhance its technological resilience, potentially including advanced encryption, AI-driven threat detection, regular penetration testing, and stricter third-party vendor security audits. Collaboration with NITDA and the Nigeria Data Protection Commission (NDPC) will likely play a central role in any post-incident review, compliance assessments, and potential notifications to affected parties if required under data protection regulations.
In the meantime, businesses and individuals interacting with the CAC are encouraged to stay informed through official channels only primarily the CAC website (cac.gov.ng) and verified government announcements. Avoiding rumours and unverified social media claims is essential to prevent panic or falling victim to opportunistic scams.
As Nigeria continues its journey toward a fully digital economy, events like the CAC cybersecurity breach serve as important reminders of the delicate balance between innovation and security. Robust incident response, transparent communication, and proactive stakeholder engagement will be key to restoring and maintaining trust in critical national institutions.
The full resolution of this incident may take time, but the CAC’s prompt disclosure and collaborative approach signal a responsible stance. Ongoing vigilance from both the agency and its users will be crucial in minimising any long-term repercussions and strengthening the overall cybersecurity posture of Nigeria’s corporate regulatory framework.
Leave a Reply