By | Destiny Young
DarkWebInformer, an account on X that monitors and reports cybersecurity breaches worldwide, said a threat actor group known as ByteToBreach infiltrated the Corporate Affairs Commission, CAC, IT system in Nigeria and exfiltrated 25 million documents.
The alleged theft of 25 million documents from the Corporate Affairs Commission should concern every serious observer of Nigeria’s digital transformation journey. Even if the final forensic outcome shows that the number being circulated is exaggerated, the wider lesson remains the same. Nigeria’s public sector has a cybersecurity problem, and that problem is rooted in chronic under-investment.
The real issue is not only whether a hacker accessed one agency’s systems. The real issue is why so many government Ministries, Departments and Agencies still treat cybersecurity as an afterthought. In many MDAs, digital platforms have expanded faster than security controls. Portals have been launched. Databases have been centralised. Public services have moved online. But the security architecture behind many of those systems remains weak, fragmented, or outdated.
A platform like CAC is not an ordinary website. It is a high-value national registry. It sits on sensitive business information, corporate filings, identity-linked records and compliance data. Any successful compromise of such a platform has implications far beyond technical embarrassment. It raises concerns about privacy, identity theft, fraud, document manipulation, corporate espionage and public trust.
When citizens and businesses submit records to a government platform, they assume the state has the competence to protect them. That trust is the foundation of digital government. Once it is shaken, confidence drops across the board. People become less willing to embrace online services. Businesses begin to question the safety of regulatory platforms. Investors take note. The cost is reputational, economic and institutional.
This is why the CAC incident, whether partial or extensive, must be viewed as a warning to the entire public sector.
Too many MDAs still operate with a weak cybersecurity posture because security spending is either absent, tokenistic, or poorly prioritised. Budget lines often favour visible infrastructure, hardware procurement and application rollout, while security governance, continuous monitoring, vulnerability management, incident response capability and staff training receive little attention. In practice, many agencies buy technology, but do not build resilience.
Cybersecurity is not achieved by owning firewalls and antivirus licences. It is achieved by sustained investment in people, process and technology. An agency may deploy expensive systems and still remain exposed if it lacks security operations, log monitoring, access control discipline, patch management, privileged account protection, encryption standards, backup integrity, third-party risk management and tested response playbooks.
Human resources are an equally serious weakness. Many MDAs do not have enough qualified cybersecurity professionals. Some do not have any dedicated security team at all. Security duties are often merged into general IT administration, where overworked personnel are expected to manage networks, support users, maintain servers and somehow defend against modern threat actors. That is not a strategy. That is an invitation to compromise.
The threat landscape has changed, but institutional behaviour in many parts of government has not changed with it. Attackers now move faster, collaborate better and commercialise stolen data efficiently. They exploit unpatched systems, weak passwords, misconfigured cloud environments, exposed databases, poor identity controls and inattentive vendors. They also understand public sector weaknesses. They know procurement cycles are slow. They know oversight is inconsistent. They know accountability after incidents is often weak.
This is why a breach in one MDA should never be treated as an isolated event. It should be treated as a sector-wide stress signal.
The CAC case also exposes another recurring problem in government. Many institutions do not invest enough in cyber preparedness before an incident, but become reactive after public exposure. That model is costly. Once data is stolen, the discussion changes from prevention to damage control. At that stage, the agency is already dealing with legal exposure, operational disruption, public scrutiny and trust erosion. Recovery becomes harder and more expensive than prevention would have been.
Nigeria already has a legal and regulatory direction that points toward stronger breach handling and data protection. The challenge is implementation. Public institutions must move from formal compliance language to operational discipline. A policy on paper does not stop exfiltration. A circular does not stop lateral movement. An announcement does not replace forensic readiness.
The response to incidents like this must therefore go beyond asking users to change passwords. That is necessary, but it is not sufficient. What is required is a whole-of-government reset in how cybersecurity is funded and governed:
MDAs that hold sensitive citizen, business, financial or regulatory data should be treated as critical digital institutions. Their security cannot be left to routine ICT budgeting. They need ring-fenced cybersecurity funding tied to measurable controls, audits and resilience outcomes.
Government must invest in skilled personnel. This means recruiting and retaining security analysts, incident responders, digital forensics specialists, governance and risk professionals, cloud security engineers and security architects. It also means continuous training for general staff, because many breaches still begin with phishing, credential theft or simple operational lapses.
Every MDA should have a minimum security baseline. That should include multi-factor authentication, privileged access controls, continuous vulnerability scanning, endpoint detection and response, centralised logging, backup validation, vendor risk assessment, encryption of sensitive data, and regular independent security testing. Without a baseline, security maturity will remain uneven and attackers will keep finding the weakest link.
Incident reporting and public communication must improve. When agencies disclose incidents vaguely and late, they create more uncertainty. Responsible disclosure does not require panic, but it does require clarity. Affected stakeholders need timely facts, practical guidance and evidence that containment, investigation and remediation are underway.
Leadership accountability must become real. Cybersecurity is no longer a narrow IT matter. It is a governance issue. Permanent secretaries, chief executives, Vice Chancellors, boards and supervising ministries must be held answerable for cyber risk posture in the same way they are answerable for finance, procurement and service delivery.
This is the wider implication of the CAC incident. It is a mirror held up to the Nigerian public sector. It shows the cost of treating cybersecurity as optional, underfunding specialist capacity, and digitising services without equal investment in defence.
Nigeria cannot build a credible digital economy on insecure public infrastructure. It cannot demand trust from businesses and citizens while failing to secure the systems that store their records. It cannot continue to celebrate digital transformation without paying for cyber resilience.
The lesson is plain. Cybersecurity must move from the margins of public administration to the centre of state capacity. Until that happens, incidents like this will keep recurring, and each one will deepen public doubt about the safety of government data systems.
—
Destiny Young is a Technology and IT Infrastructure Management Executive and Cybersecurity Professional with extensive experience in enterprise systems, digital transformation, and cybersecurity management. He holds a First Class Master of Science degree in Digital Transformation, a Distinction grade Master of Business Administration with a specialisation in Cybersecurity, and a Master of Technology degree in Information Technology. His work focuses on strengthening cyber resilience in organisations and examining the relationship between technology, risk, and business strategy. Destiny is also an active academic researcher with a strong interest in cybersecurity governance and threat mitigation. He writes regularly on digital security issues affecting businesses in Nigeria and contributes to industry discussions on cyber risk management and policy development.
