Nigeria's CAC Confirms Major Data Breach Hitting Millions

Nigeria's Corporate Affairs Commission (CAC) has officially confirmed a significant cybersecurity breach involving unauthorized access to its central database. The registry, which holds the records of millions of registered companies and their associated directors, shareholders, and personal data, has been compromised. The CAC is now working alongside the National Information Technology Development Agency (NITDA) and other government bodies to assess the full scope of the incident.

The confirmation ends a period of uncertainty for businesses and individuals whose information is stored in the national registry, and it raises serious questions about the security posture of critical government infrastructure across the region.

What Was Exposed in the Breach

The CAC database is not a minor administrative system. It is the authoritative national record for corporate registrations in Nigeria, containing sensitive details about company ownership, directors' personal information, registered addresses, and financial structures. When a database of this nature is accessed without authorization, the potential for misuse is substantial.

Identity fraud, targeted phishing attacks, corporate espionage, and social engineering are among the risks that follow when structured business and personal records are exposed. The CAC has not yet published a detailed breakdown of exactly which records were accessed or the methods used in the attack, as the investigation with NITDA is still ongoing.

Why Government Registries Are High-Value Targets

National business registries are attractive targets for several reasons. They are centralized, they hold verified and structured data, and they often serve as the source of truth for legal and financial transactions. This makes the data inside them more reliable and therefore more valuable to malicious actors than information scraped from less authoritative sources.

The CAC breach is not an isolated incident globally. Government and quasi-government databases have faced breaches across multiple continents in recent years, often because legacy infrastructure, resource constraints, and bureaucratic procurement cycles make it difficult to maintain modern security standards. Centralization of sensitive data, while administratively efficient, creates single points of failure that require exceptional security investment to protect.

For businesses and individuals in Nigeria, this incident is a reminder that data submitted to government agencies sits outside their direct control. Once information enters a registry, the data subject has no ongoing ability to monitor how it is stored, who can access it, or how quickly a breach will be detected and disclosed.

What This Means For You

If you are a company director, shareholder, or business owner registered with the CAC, your personal and corporate information is potentially part of the exposed dataset. The investigation is ongoing, and the full picture may take weeks to clarify. Here are concrete steps to consider now:

  • Monitor for unusual activity. Watch for unexpected correspondence, unusual credit inquiries, or unsolicited contact referencing your business registration details. These can be early indicators of fraud attempts using exposed data.
  • Verify your digital accounts. Ensure that email accounts, banking platforms, and business services linked to your registered information have strong, unique passwords and multi-factor authentication enabled.
  • Be alert to phishing attempts. Attackers who obtain structured registry data often use it to craft convincing impersonation emails or calls. Treat unsolicited requests for sensitive information with heightened skepticism, even when they appear to reference accurate details about your business.
  • Document what data you submitted. Understanding exactly what information the CAC holds about you or your business helps you assess your personal exposure and respond more effectively if fraud occurs.
  • Follow official updates. The CAC and NITDA are the authoritative sources for guidance on this incident. Monitor their official communications for remediation advice as the investigation progresses.

It is also worth reflecting on broader data hygiene practices. Individuals and businesses have limited control over what happens inside government systems, but they do have control over the security of their own devices, accounts, and communications. Reducing the attack surface you can influence is a practical response to incidents affecting data you cannot directly protect.

A Broader Lesson in Data Dependency

The Nigeria CAC data breach illustrates a tension that governments and citizens navigate everywhere: modern economies require centralized registries to function, but centralization concentrates risk. There is no simple answer to this tension, but incidents like this one tend to accelerate pressure on institutions to modernize their security practices, improve breach detection, and establish clearer notification obligations for affected parties.

For now, the most productive response for anyone connected to the CAC database is to stay informed, act on the precautions available to them, and hold the relevant institutions accountable for transparent, timely communication as the investigation unfolds.