Nigeria’s Corporate Affairs Commission (CAC) said it is investigating unauthorised access to parts of its digital infrastructure, raising concerns over potential exposure of sensitive company data and the resilience of government-backed online services.
In a public notice issued on April 15, 2026, the commission said it detected “unauthorised access” to segments of its information systems and immediately activated containment and response protocols. The agency is working with the National Information Technology Development Agency and other government partners to determine the scope and impact of the breach.
The disclosure, which began circulating in media reports on April 15 and 16, marks one of the most significant cybersecurity incidents involving Nigeria’s corporate registry in recent years. While the commission did not specify the volume or nature of data affected, it advised users to update their login credentials and monitor their records as investigations continue.
The CAC, led by Registrar-General Hussaini Ishaq Magaji, oversees company incorporation, name reservation, and compliance filings for millions of businesses operating in Africa’s largest economy. Its online portal has become central to Nigeria’s push to streamline business registration and improve ease of doing business rankings.
The incident comes amid a broader shift toward digitisation across public services, a transition that has increased efficiency but also expanded the attack surface for cyber threats. Analysts say any disruption to the CAC’s systems could delay filings, stall new business registrations, and create compliance risks for firms ranging from startups to multinationals.
“This is a systemic platform,” said a Lagos-based technology risk consultant. “Even limited downtime can cascade into regulatory bottlenecks, while any confirmed data compromise would raise more serious legal and financial exposure.”
Cybersecurity specialists have long warned that the pace of digital adoption in government agencies is not always matched by investment in defensive infrastructure. If sensitive corporate records were accessed, affected entities could face risks including identity theft, fraudulent filings, and corporate espionage.
The National Information Technology Development Agency, which is supporting the response, has repeatedly called for stronger cybersecurity frameworks and improved resilience across critical national systems. The outcome of the CAC probe is expected to inform future policy direction in that area.
The development also follows a separate regulatory action by the Nigeria Data Protection Commission, which, earlier in April, opened an investigation into an alleged data breach involving financial and payment service providers. In a statement issued on April 6, the commission said it had served formal notices of investigation on April 1, with affected parties cooperating with inquiries.
Taken together, the incidents underscore growing scrutiny of data protection and digital risk management in Nigeria’s financial and corporate ecosystems.
For now, the CAC said it remains committed to safeguarding the integrity of the registry, though it has yet to provide a timeline for concluding its investigation or confirming whether any data was compromised. Businesses and compliance professionals are likely to watch closely for further disclosures, particularly as reliance on digital filings continues to deepen.