Nigeria's Corporate Affairs Commission (CAC) confirmed on April 15, 2026, that a hacker broke into its database and gained unauthorized access to millions of companies' records, shaking the foundation of the country's corporate registry. If your business is registered in Nigeria, this breach directly affects you, and the window to protect yourself is closing fast.
What Exactly Happened in the CAC Cybersecurity Breach
The Corporate Affairs Commission confirmed unauthorized access into its database, affecting millions of companies, in a public statement released through its X account. The commission described the breach as affecting "limited aspects" of its information systems.
But here is the part that should make every Nigerian business owner sit up straight.
The breach was carried out by a dark web hacker known as "ByteToBreach" — the same actor who earlier claimed responsibility for a breach involving customer data on the Remita payment platform. Evidence suggests this hacker actively sells institutional databases to cybercriminal networks, significantly increasing the likelihood of impersonation, fraud, blackmail, and identity theft.
This was not a random, opportunistic attack. It was targeted, deliberate, and carried out by someone with a known history of monetizing stolen Nigerian data.
How the CAC Responded and Who Is Now Involved
In a public notice dated April 15, 2026, the CAC disclosed that it promptly activated its response protocols and is working with the National Information Technology Development Agency (NITDA), relevant government agencies, and partners to assess the scope and impact of the breach. The commission stated that appropriate containment measures have been implemented and additional safeguards are in place.
The involvement of NITDA is significant and tells us a great deal about how seriously the government is taking this.
NITDA is the agency responsible for coordinating information technology development and regulation in Nigeria, and its inclusion in the response indicates the breach is being treated as a significant cybersecurity event requiring national-level technical response.
Still, the CAC has not disclosed the full scale of the breach, which specific systems were affected, or whether any data was actually extracted and removed.
What Data Could Be at Risk in the CAC Breach
The CAC database contains sensitive information on millions of registered businesses, including the names and personal details of directors, shareholders, and company secretaries, registered office addresses, shareholding structures, financial filings, and corporate governance documents.
Think about what that means in the wrong hands.
A breach of this database could enable criminals to file fraudulent changes to company records, such as changing directors, transferring shares, or altering registered addresses, which would undermine the integrity of the corporate registry. It could also facilitate sophisticated phishing and social engineering attacks using genuine company data obtained from the breach.
And the scale of data at risk is staggering.
Nigeria currently has over four million registered business entities. Reports indicate that the CAC processed about 2.5 million registrations between January and February 2024 alone, and since July 2025, the Commission has reportedly processed more than 10,000 registrations daily following the adoption of AI-driven workflows.
The Hacker Behind the CAC Data Breach
The recent cybersecurity incident at the Corporate Affairs Commission is the latest in a series of breaches affecting Nigerian organizations. A week before the CAC breach, the Nigeria Data Protection Commission (NDPC) began investigating a potential data breach at Remita Payment Services and Sterling Bank, triggered after a threat actor known as "ByteToBreach" claimed that sensitive customer information was exposed. The exposed information allegedly included Bank Verification Numbers (BVNs), Know Your Customer (KYC) documents, and transaction histories.
This is a pattern, not a one-off incident. ByteToBreach is systematically targeting Nigeria's most sensitive digital infrastructure.
At the 2026 GITEX Africa summit, NITDA Director-General Kashifu Inuwa stated that human error causes 95 percent of digital security breaches and cautioned that artificial intelligence is making these breaches more difficult to identify.
That stat is sobering. It means that in most cases, attackers do not break the walls down. Someone inside opens the door.
Why Nigeria's Government Databases Keep Getting Targeted
This breach did not happen in a vacuum, and it will not be the last unless the underlying problems are addressed.
Nigeria has pushed hard to move public services online since the late 2010s, but analysts say cybersecurity has struggled to keep up. Government databases have become prime targets worldwide for hackers seeking financial gain or disruption.
The CAC itself is a perfect example of this tension.
The CAC has pushed hard on online incorporation and digital filings in recent years, making its platform more attractive and, at the same time, more vulnerable to attackers.
Speed of digitization without matching investment in security is a formula for exactly what happened here.
Security experts and business groups have long warned that rapid digitization has outpaced cybersecurity defenses in many government agencies. Any prolonged downtime or data leak could delay registrations, filings, and compliance checks for thousands of businesses, from small startups to large multinationals.
Nigeria is not alone in facing this challenge, but the country's size and the centrality of the CAC to its entire business ecosystem make this breach especially consequential.
What Happens to Nigerian Businesses If This Data Gets Sold
Evidence suggests the hacker actively sells institutional databases to cybercriminal networks. This increases the likelihood of impersonation, fraud, blackmail, and identity theft targeting registered business owners across Nigeria.
A fraudster buys the stolen CAC data, contacts a company's bank while posing as a registered director, uses verified corporate details to pass identity checks, and initiates an unauthorized transfer. The business only finds out when the money is gone.
A breach of the CAC database could expose business owners and directors to identity theft, corporate fraud, and targeted attacks. Criminals could file fraudulent changes to company records, such as changing directors, transferring shares, or altering registered addresses, undermining the integrity of the entire corporate registry.
The fraud does not even have to involve money directly. Changing your registered director on paper can strip you of legal control over your own company.
The CAC's Three Official Advisories to Stakeholders
The commission did not just confirm the breach and go quiet. It gave specific instructions, and you need to follow them today.
First, stakeholders should monitor their records on the CAC portal to check for any unauthorized changes to their company information, directorship records, shareholding structures, or other registered details. Second, stakeholders should update their login credentials — usernames and passwords — for their CAC portal accounts immediately. This advisory suggests the commission cannot rule out that login credentials may have been among the data accessed during the breach.
The CAC further urged users to remain vigilant against unsolicited communications that may arise as a result of the incident, and reassured the public of its commitment to safeguarding Nigeria's corporate registry and maintaining the integrity of its systems.
Three simple steps: check your records, change your password, ignore suspicious messages. Do all three before you close this tab.
What You Must Do Right Now to Protect Your Business
- Log into the CAC portal immediatelyCheck every detail on your company's profile: directors listed, registered address, share structure, and any recent filings. If anything looks wrong, flag it with CAC immediately and document everything with screenshots.
- Change your CAC portal password today Use a strong, unique password of at least 16 characters that combines upper and lowercase letters, numbers, and symbols. Do not reuse a password from any other platform.
- Enable two-factor authentication wherever available This adds a critical second layer that protects your account even if your password has already been stolen.
- Brief your entire teamEvery director and company secretary named in your CAC filings is now a potential target for phishing emails, fake phone calls, or impersonation attempts. Make sure everyone knows what to look out for.
- Contact your bank and notify them Alert your corporate bank that your company's data may have been compromised. Ask them to flag any unusual requests for account changes or high-value transactions.
The CAC also advised stakeholders to remain cautious of unsolicited communications that may arise as a result of the incident, as sophisticated phishing and social engineering attacks using genuine company data could follow the breach.
Taiwo Oyedele Finally Admits Errors in Nigeria's New Tax Laws — Promise Correction Underway
10 CBN BVN Rules Taking Effect May 1 That Could Lock You Out of Your Account