NDPC probes alleged data breach at Corporate Affairs Commission

The Nigeria Data Protection Commission (NDPC) has officially launched a comprehensive investigation into a significant data breach at the Corporate Affairs Commission (CAC).

This regulatory move, confirmed by Babatunde Bamigboye, the NDPC’s Head of Legal, Enforcement, and Regulations, is being conducted under the authority of Section 46(3) of the Nigeria Data Protection Act, 2023.

The primary objective of the probe is to safeguard the integrity of Nigeria’s digital economy and restore public trust following reports of unauthorized access to the nation’s corporate registry.

The investigation follows a series of alarming claims circulating online, which suggested that hackers had successfully breached the CAC’s database.

These reports alleged that as many as 25 million documents and corporate records may have been exfiltrated. In response to these growing concerns, the CAC acknowledged a cybersecurity incident, though it initially described the breach as affecting only “limited aspects” of its information systems.

To mitigate further risks, the CAC temporarily suspended its online portal for three days to conduct emergency maintenance and system upgrades.

READ ALSO: Dangote, IMF Leadership Engage on Nigeria’s Economic Outlook

Vincent Olatunji, the National Commissioner of the NDPC, has directed a technical team to collaborate with the CAC and other relevant agencies, including the National Information Technology Development Agency (NITDA), to evaluate the full scope of the compromise.

The investigation will scrutinize several critical areas of the CAC’s digital infrastructure, including its access control mechanisms, data privacy impact assessments, and vulnerability testing protocols.

Furthermore, the commission will examine the due diligence performed on third-party data processors to identify any weak links in the supply chain.

This incident is part of a broader trend of sophisticated cyberattacks targeting key Nigerian databases. The NDPC has noted with concern that threat actors are increasingly using advanced methods for large-scale data exfiltration and cross-platform compromises.

This latest probe follows similar investigations into other major entities, including Remita and Sterling Bank, highlighting a period of heightened scrutiny for both public and private sector data controllers.

As the investigation continues, the CAC has urged its users to remain vigilant, update their login credentials, and monitor their corporate records for any unauthorized changes.

While the NDPC maintains that Nigeria’s data protection frameworks are robust, this breach serves as a stark reminder of the evolving threats in the digital space and the necessity for continuous reinforcement of national data security architecture.