*Warns Millions Of Registered Businesses To Update Credentials
![](https://thenigerialawyer.com/wp-content/uploads/2024/11/TheNigerialawyer-WhatsApp-Channel1.jpg")
The Corporate Affairs Commission has confirmed that it is investigating a cybersecurity incident involving unauthorised access to limited aspects of its information systems — a breach that potentially affects the data of millions of businesses and organisations registered on Nigeria’s corporate registry, the most comprehensive database of business entities in the country.
In a public notice signed by the management and dated April 15, 2026, the CAC disclosed that it had promptly activated its response protocols and is working with the National Information Technology Development Agency, relevant government agencies, and partners to assess the scope and impact of the breach.
The commission said appropriate containment measures have been implemented and additional safeguards are in place, while advising stakeholders to take immediate protective steps including monitoring their records on the CAC portal, updating login credentials, and remaining cautious of unsolicited communications.
The commission’s notice was carefully worded but unmistakable in its central disclosure: that unauthorised parties gained access to its information systems.
“The Corporate Affairs Commission is currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems,” the notice stated.
The use of the phrase “limited aspects” suggests the CAC is characterising the breach as contained rather than total — implying that not all systems or data were compromised. However, the commission did not specify which systems were affected, what data may have been accessed, or how many records may have been compromised.
“The Commission promptly activated its response protocols and is working with National Information Technology Development Agency, relevant government agencies and partners to assess the scope and impact,” the CAC stated.
The involvement of NITDA the agency responsible for coordinating information technology development and regulation in Nigeria — indicates the breach is being treated as a significant cybersecurity event requiring national-level technical response.
“Appropriate containment measures have been implemented, and additional safeguards are in place,” the commission added.
The CAC issued three specific advisories to stakeholders while the review is ongoing.
First, stakeholders should monitor their records on the CAC portal to check for any unauthorised changes to their company information, directorship records, shareholding structures, or other registered details.
Second, stakeholders should update their login credentials — usernames and passwords — for their CAC portal accounts immediately. This advisory suggests the commission cannot rule out that login credentials may have been among the data accessed during the breach.
Third, stakeholders should remain cautious of unsolicited communications. This warning indicates concern that data obtained from the breach could be used for phishing attacks, social engineering, or other fraud schemes targeting registered businesses and their directors.
The CAC is the sole authority responsible for the registration, regulation, and management of companies, business names, incorporated trustees, and other entities in Nigeria. Its database contains sensitive information on millions of registered businesses, including the names and personal details of directors, shareholders, and company secretaries, registered office addresses, shareholding structures, financial filings, and corporate governance documents.
A breach of this database could expose business owners and directors to identity theft, corporate fraud, and targeted attacks. It could enable criminals to file fraudulent changes to company records — such as changing directors, transferring shares, or altering registered addresses — undermining the integrity of the corporate registry. It could facilitate sophisticated phishing and social engineering attacks using genuine company data obtained from the breach. And it could compromise the trust that businesses, investors, and regulatory authorities place in the integrity of the CAC’s records.
The corporate registry is also used as a reference by banks, investors, regulatory agencies, and international partners to verify the legitimacy and ownership of Nigerian businesses. Any compromise of this data has implications that extend far beyond the CAC itself, potentially affecting commercial transactions, due diligence processes, and regulatory compliance across the Nigerian economy.
The CAC’s database is one of the largest repositories of business and personal data in Nigeria. Over the past several years, the commission has digitised its records and moved most registration and filing processes online, creating a centralised digital repository that contains information on every formally registered business entity in the country.
Recent reports indicate that business registrations with the CAC have increased significantly, with the commission processing hundreds of thousands of new registrations annually. The total number of entities on the registry — including active companies, business names, incorporated trustees, and other categories — runs into the millions.
The breach therefore potentially affects a vast number of individuals and entities, from small business owners who registered a business name to multinational corporations with Nigerian subsidiaries, from churches and NGOs registered as incorporated trustees to government-linked entities.
While the commission’s initial notice provides the essential disclosure and immediate advisory, several critical questions remain unanswered.
When was the breach discovered, and when did the unauthorised access actually occur? Is there a gap between the time of the breach and the time of discovery — a gap during which attackers may have had undetected access to the systems?
What specific data was accessed or potentially compromised? The phrase “limited aspects” provides little clarity on whether personal data, financial information, corporate records, or login credentials were among the affected data.
How many records or accounts are potentially affected? Without this information, stakeholders cannot adequately assess their risk.
How did the breach occur? Was it through a vulnerability in the CAC’s systems, a supply chain compromise, social engineering targeting CAC staff, or some other method?
Has any data been exfiltrated — that is, actually copied and removed from the CAC’s systems — or was the access limited to viewing?
Have any fraudulent changes been made to company records as a result of the breach? If so, how will the CAC identify and reverse them?
What specific “additional safeguards” have been put in place, and are they sufficient to prevent further unauthorised access?
The CAC has committed to providing updates as necessary, and stakeholders will be looking for answers to these questions in subsequent communications.
The CAC breach is the latest in a series of cybersecurity incidents affecting Nigerian public institutions, highlighting the vulnerability of government systems that hold sensitive citizen and business data.
Nigeria’s public sector has faced growing cybersecurity challenges as more government services move online without corresponding investment in security infrastructure, staff training, and incident response capabilities.
The involvement of NITDA in the response reflects the government’s recognition that cybersecurity incidents at critical institutions like the CAC require coordinated, professional response but the breach itself raises questions about whether adequate preventive measures were in place before the incident.
Pending further information from the CAC, registered businesses and their directors should take the following precautionary steps. Change all passwords associated with CAC portal accounts immediately, using strong, unique passwords. Review company records on the CAC portal for any unauthorised changes to directors, shareholders, registered addresses, or other details. Be vigilant about emails, text messages, or calls that reference CAC information or request personal or financial details. Report any suspicious activity or unauthorised changes to the CAC and to relevant law enforcement agencies. And monitor bank accounts and financial records for any unusual activity that could be linked to compromised business information.
The CAC stated it remains “committed to the security and integrity of Nigeria’s corporate registry” and will provide updates as necessary.
Interested buyers are encouraged to place their orders and enquiries via:
0704 444 4777, 0704 444 4999, 0818 199 9888
Website: www.alexandernigeria.com
The book, titled The Law of Torts in Nigeria: A Functional Approach, authored by Professor Hagler Sunny Okorie Ph.D and Ikeocha, Nathaniel Ngozi Esq, offers law students, practitioners, and academics a comprehensive guide to understanding and applying tort law in Nigerian courts. Interested buyers can place orders via the following contact numbers: 08028636615, 08037667945, 08032253813, or +234 902 196 2209.
_______________________________________________________________________
ARTIFICIAL INTELLIGENCE FOR LAWYERS: A COMPREHENSIVE GUIDE
Reimagine your practice with the power of AI “...this is the only Nigerian book I know of on the topic.” — Ohio Books Ltd
Authored by Ben Ijeoma Adigwe, Esq., ACIArb (UK), LL.M, Dip. in Artificial Intelligence, Director, Delta State Ministry of Justice, Asaba, Nigeria.
Bonus:
Get a FREE eBook titled “How to Use the AI in Legalpedia and Law Pavilion” with every purchase.
How to Order: 📞 Call, Text, or WhatsApp: 08034917063 | 07055285878 📧 Email: benadigwe1@gmail.com 🌐 Website: www.benadigwe.com
Ebook Version: Access directly online at: https://selar.com/prv626
________________________________________________________________________ [A MUST HAVE] Evidence Act Demystified With Recent And Contemporary Cases And Materials
