Over 25 million sensitive company documents leaked — directors’ IDs, passports, signatures & more. Nigeria’s biggest corporate registry hack just got real.

The Corporate Affairs Commission (CAC) Data Breach: A Major Cybersecurity Incident Shaking Nigeria’s Corporate Registry (April 2026)

In mid-April 2026, Nigeria’s Corporate Affairs Commission (CAC) — the government agency responsible for registering and regulating companies, business names, and incorporated trustees — confirmed a significant cybersecurity incident. Unauthorized actors gained access to parts of its information systems, leading to reports of massive data exfiltration.

The breach has raised serious concerns about data privacy, national security, anti-money laundering efforts, and the integrity of Nigeria’s digital business ecosystem. It forms part of a wave of attacks attributed to the ransomware group ByteToBreach, which also targeted financial institutions like Sterling Bank and the Remita payment platform.

What Happened: Timeline of the Incident

• April 15, 2026: CAC issued a public “Notice of System Review.” It acknowledged a cybersecurity incident involving unauthorized access to “limited aspects” of its information systems. The Commission stated it had activated response protocols, implemented containment measures, and was collaborating with the National Information Technology Development Agency (NITDA) and other partners to assess the scope and impact.

• Stakeholders were advised to:

  • Monitor their records on the CAC portal.

  • Update login credentials immediately.

  • Remain cautious of unsolicited communications (e.g., phishing attempts).

• The online company registration portal was temporarily shut down for maintenance and security upgrades.

• April 17–20, 2026: The Nigeria Data Protection Commission (NDPC) launched a formal investigation under Section 46(3) of the Nigeria Data Protection Act, 2023. NDPC emphasized the need to protect public trust in digital systems and announced it would examine access controls, data privacy impact assessments, vulnerability testing, and third-party processors.

Scale of the Breach According to ReportsIndependent cybersecurity monitors and media reports, particularly from sources tracking the threat actor, claim the breach was far more extensive than CAC’s initial “limited aspects” description:

• Approximately 25 million documents (around 750 GB of data) were allegedly exfiltrated.

• Over 15 million sensitive company documents were reportedly leaked or made available, including incorporation records, beneficial ownership details, directors’ information, national ID documents, passport photographs, and handwritten signatures.

The group ByteToBreach reportedly posted proof online, including screenshots of the intrusion (one labeled “GOV_BETRAYAL”). The leaked data has circulated on file-hosting sites and cybercrime forums.

The Threat Actor: ByteToBreachByteToBreach is described as a sophisticated group active since at least mid-2025. It specializes in targeting government and large organizational databases. In Nigeria, it hit:

1. Sterling Bank (customer and staff data).

2. Remita (payment platform, exposed via misconfigured cloud storage).

3. CAC (corporate registry).

The group has also claimed attacks outside Nigeria, such as on Sweden’s e-government systems. Its tactics appear to combine technical exploits with exploitation of human/config errors.Why This Breach Matters: Far-Reaching ImplicationsThe CAC serves as Nigeria’s central corporate registry. Compromised data includes:

• Company ownership structures and beneficial owners (key for anti-money laundering).

• Directors’ personal details.

• Legal and filing histories.

Consequences include:

• Undermining reforms: Nigeria has been strengthening beneficial ownership transparency to combat shell companies, corruption, and financial crimes. This breach provides fraudsters a “master key” for identity theft, forging companies, blackmail, or sophisticated scams.

• Business and individual risks: Directors and business owners face potential phishing, CEO fraud, or targeted attacks. Banks and regulators relying on CAC data for due diligence are affected.

• National security and economy: Exposure of data in critical sectors (oil & gas, telecom, etc.). Broader concerns about election infrastructure (e.g., INEC) ahead of future polls.

• Economic cost: Nigeria already loses hundreds of millions annually to cybercrime. This adds to reputational damage and erodes trust in digital government services.

Experts have criticized outdated systems, inadequate training, political appointments in tech roles, and slow adoption of best practices like multi-factor authentication (MFA), regular patching, and proper cloud configuration.Official and Expert Responses

• CAC: Focused on containment, system review, and user advisories. Later mandated password resets and enhanced authentication for users.

• NDPC: Issued advisories urging organizations to appoint data protection officers, conduct audits, encrypt data, and implement robust security. It is actively investigating.

• Civil society and experts: Calls for independent audits, accountability, better funding for cybersecurity, and hiring skilled professionals. Groups like Avocats Sans Frontières France highlighted privacy rights under the 1999 Constitution and NDPA 2023.

What Should Affected Parties Do?

1. Log into the CAC portal and review company records for unauthorized changes.

2. Update passwords with strong, unique credentials and enable MFA/2FA.

3. Monitor for suspicious activity (emails, transactions, filings).

4. Be vigilant against phishing claiming to be from CAC or government agencies.

5. Businesses: Review data protection policies and report incidents as required.

Broader Lesson for NigeriaThe CAC breach is a stark wake-up call. As Nigeria pushes digital transformation, cybersecurity must be a national priority — built into systems from the start, not as an afterthought. It highlights vulnerabilities in critical infrastructure and the need for skilled talent, investment, and stricter enforcement of data protection laws.

This incident is still evolving, with ongoing investigations. Businesses and individuals should treat their CAC-related data as potentially compromised and act accordingly.Sources: Official CAC notices, NDPC statements, reports from BusinessDay, Guardian, Leadership, DataGuidance, and cybersecurity researchers (as of late May 2026). Always cross-check the latest official updates from cac.gov.ng and ndpc.gov.ng.This article is for informational purposes. For legal or professional advice, consult relevant authorities or experts.