Nigeria’s Corporate Affairs Commission, CAC, has confirmed a cybersecurity incident involving unauthorised access to parts of its information systems, raising fresh concern over the security of one of the country’s most sensitive public business databases.

In a public notice issued on Tuesday, the commission said it had activated its response protocols and launched a review of the incident. CAC said the unauthorised access was limited to some aspects of its systems, but did not disclose the exact systems affected or whether any records were altered or extracted.

The agency said it is working with the National Information Technology Development Agency, relevant government agencies and other partners to determine the full scope and impact of the incident. It added that containment measures have already been implemented and that extra safeguards are now in place.
While the review continues, CAC advised users to monitor their records on the CAC portal, update login credentials and remain cautious of unsolicited communications.
The incident touches a critical institution in Nigeria’s corporate ecosystem. CAC is the statutory registry for companies, business names and incorporated trustees, and its systems support incorporation, post-incorporation filings, status checks and corporate record verification across the country.
Any compromise involving the registry carries wider implications for businesses, investors, regulators and service providers that rely on CAC records for identity checks, compliance reviews and transaction due diligence.
At this stage, CAC has not publicly stated whether personal data was exposed, how the unauthorised access occurred, how long it lasted, or how many users may have been affected. That leaves key questions unanswered for registered entities and their advisers.
Under Nigeria’s Data Protection Act, a data controller is required to notify the regulator within 72 hours of becoming aware of a breach that is likely to pose a risk to the rights and freedoms of individuals. Where the risk is high, affected persons must also be informed in clear language, along with advice on how to reduce possible harm.
That legal threshold means the next official update from CAC will be closely watched, especially if the review shows that personal or business-sensitive data was accessed.
For now, the agency’s immediate guidance points to three practical steps for users, check records on the portal, change passwords, and treat unexpected messages or requests linked to CAC data with caution.
The commission said it remains committed to the security and integrity of Nigeria’s corporate registry and will provide further updates as necessary.
