NDPC launches probe into CAC cyber breach as data security concerns rise

The Nigeria Data Protection Commission (NDPC) has launched an investigation into the cyberattack on the Corporate Affairs Commission (CAC), which recently confirmed unauthorised access to parts of its systems.

The Nigeria Data Protection Commission (NDPC) announced the investigation in a press release dated April 17, 2026, signed by Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations. The commission referred to Section 46(3) of the Nigeria Data Protection Act 2023 as the basis for its intervention.

The National Commissioner and CEO of NDPC, Dr Vincent Olatunji, has directed the technical team to engage with relevant authorities and organisations. Their goal is to strengthen existing data protection measures.

The investigation will focus on access controls, data privacy impact assessments, vulnerability checks, security testing, and due diligence on third-party data processors linked to CAC’s systems.

The commission expressed particular concern about the tactics employed by threat actors targeting Nigerian institutions. It noted that attacks have become more sophisticated, involving large-scale data extraction and coordinated compromises across interconnected systems.

Back story: CAC suffers cyberattack, begins investigation with NITDA support

“The NDPC notes with concern that threat actors in the digital space have devised malicious methods of compromising the data security architecture of key databases,” the statement read.

CAC confirmed the breach on April 15, describing it as “unauthorised access to limited aspects” of its information systems. The commission said it had activated response protocols and was working with the National Information Technology Development Agency (NITDA) to assess the damage, without disclosing what data may have been accessed or extracted.

NDPC probe deepens amid rising pattern of data breaches

The CAC breach and the NDPC’s response are the latest in a string of cybersecurity incidents hitting Nigerian institutions in quick succession.

Just a week earlier, the NDPC launched a separate investigation into alleged breaches at Remita Payment Services and Sterling Bank. This followed claims by a threat actor known as “ByteToBreach” that sensitive customer data, including BVNs, KYC documents, and transaction records, had been compromised.

CAC manages Nigeria’s official corporate registry and serves as the primary agency for business registration in the country. A serious breach could potentially expose the records of millions of registered businesses and their directors, data critical to Nigeria’s formal economy.

The NDPC said its ongoing regulatory actions are aimed at sustaining public trust in digital services and protecting investment in Nigeria’s digital economy.

The commission also sought to reassure the public that Nigeria’s broader data protection framework remains fundamentally sound, pointing to the growing rate of access to data-driven services as evidence.

CAC has advised users to monitor their records on the CAC portal, update their login credentials, and remain alert to unsolicited communications that may be connected to the incident. The commission said it will provide further updates as investigation continues.