CAC activates response protocols with NITDA, urges stakeholders to update login credentials after a breach affecting limited aspects of systems that process 10,000 daily registrations.
The Corporate Affairs Commission has confirmed a cybersecurity incident involving unauthorised access to parts of its information systems, raising concerns over the security of Nigeria’s corporate registry which holds sensitive data on millions of registered businesses, according to a public notice dated April 15, 2026.
In the notice signed by management, CAC disclosed that it promptly activated its response protocols and is working with the National Information Technology Development Agency, relevant government agencies, and partners to assess the scope and impact of the breach. The commission said appropriate containment measures have been implemented and additional safeguards are in place, though it did not specify which systems were affected, what data may have been accessed, or how many records may have been compromised.
The commission described the incident as involving “unauthorised access to limited aspects” of its information systems, suggesting a contained rather than total breach. However, CAC advised stakeholders to take immediate protective steps including monitoring their records on the CAC portal, updating login credentials, and remaining cautious of unsolicited communications. The advisory suggests the commission cannot rule out that login credentials may have been among the data accessed during the breach, while the warning about unsolicited communications indicates concern that data obtained could be used for phishing attacks, social engineering, or other fraud schemes targeting registered businesses and their directors.
The CAC is the sole authority responsible for the registration, regulation, and management of companies, business names, incorporated trustees, and other entities in Nigeria. Its database contains sensitive information on millions of registered businesses, including names and personal details of directors, shareholders, and company secretaries, registered office addresses, shareholding structures, financial filings, and corporate governance documents. The breach therefore potentially affects a vast number of individuals and entities, from small business owners who registered a business name to multinational corporations with Nigerian subsidiaries, churches and NGOs registered as incorporated trustees, and government-linked entities.
In February 2026, CAC disclosed that it processes up to 10,000 business registration requests daily, following the deployment of artificial intelligence across its service delivery platforms. The commission also handles an average of 5,000 customer enquiries each day via emails and call centres. The development has raised fresh concerns over the security of Nigeria’s corporate registry, particularly given the commission’s increasing reliance on digital systems and centralised digital repositories.
The cyberattack comes one week after the Nigeria Data Protection Commission launched an investigation into an alleged data breach involving Remita Payment Services and Sterling Bank, triggered after a threat actor known as “ByteToBreach” claimed that sensitive customer information, including Bank Verification Numbers, Know Your Customer documents, and transaction histories, was exposed. At the 2026 GITEX Africa summit, NITDA Director-General Kashifu Inuwa stated that human error causes 95% of digital security breaches, while cautioning that artificial intelligence is making these breaches more difficult to identify. CAC said it will provide updates as investigations progress.
Stay Informed: Visit our website for Breaking News, Intelligence, and Insights