NDPC probes alleged data breach at Corporate Affairs Commission

The Nigeria Data Protection Commission has launched an investigation into a reported data breach at the Corporate Affairs Commission.

This was disclosed in a statement signed by the Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, citing provisions of the Nigeria Data Protection Act, 2023.

The Commission said the move is aimed at safeguarding trust in Nigeria’s digital and economic systems amid growing concerns over data security.

The NDPC expressed concern over increasing activities of threat actors targeting key databases, noting that such attacks involve large-scale data breaches and cross-platform compromises.

According to the Commission, these actors are deploying sophisticated methods to exploit vulnerabilities across interconnected systems.

The NDPC notes with concern that threat actors in the digital space have devised malicious methods of compromising the data security architecture of key databases. These involve large-scale data exfiltration and cross-platform compromise across interconnected systems,” they stated

The CEO of the NDPC, Vincent Olatunji, directed the agency’s technical team to engage relevant authorities and organisations to strengthen existing data protection measures.

The probe by the Commission follows a sequence of events that began circulating online, alleging that hackers had breached the CAC database and possibly accessed millions of corporate records.

These claims alleged that approximately 25 million documents may have been exfiltrated from the infrastructure of the Corporate Affairs Commission.

Amid growing speculation, the CAC confirmed a full-scale breach. In its first official statement, the Commission described the incident as affecting “limited aspects” of its information systems and said it had activated internal response protocols while working with the National Information Technology Development Agency (NITDA) and other partners to assess the impact.

The agency also advised users to update their login credentials and monitor their records, signalling concern that sensitive data such as account details or corporate records could have been exposed or targeted.

The Commission said the investigation into CAC will examine critical areas, including:

It added that the probe forms part of broader regulatory efforts to reinforce safeguards around the processing of personal data in Nigeria.

The NDPC also assured the public that Nigeria’s data protection frameworks remain strong, noting that increasing adoption of digital services reflects growing confidence in the system.

There have been a series of recent investigations launched by the Nigerian Data Protection Commission into major organisations handling sensitive personal data.

They have also stepped up warnings over growing cyber threats and attacks on financial systems, telecommunications networks, cloud platforms, and public sector databases.