The Nigeria Data Protection Commission has launched an investigation into a reported data breach at the Corporate Affairs Commission.
This was disclosed in a statement signed by the Head of Legal, Enforcement and Regulations, Babatunde Bamigboye, citing provisions of the Nigeria Data Protection Act, 2023.
The Commission said the move is aimed at safeguarding trust in Nigeria’s digital and economic systems amid growing concerns over data security.
What the commission is saying
The NDPC expressed concern over increasing activities of threat actors targeting key databases, noting that such attacks involve large-scale data breaches and cross-platform compromises.
According to the Commission, these actors are deploying sophisticated methods to exploit vulnerabilities across interconnected systems.
- “Pursuant to Section 46(3) of the Nigeria Data Protection Act, 2023 (NDP Act), the Nigeria Data Protection Commission (NDPC) has initiated an investigation into the reported data breach at the Corporate Affairs Commission (CAC).
The NDPC notes with concern that threat actors in the digital space have devised malicious methods of compromising the data security architecture of key databases. These involve large-scale data exfiltration and cross-platform compromise across interconnected systems,” they stated
The CEO of the NDPC, Vincent Olatunji, directed the agency’s technical team to engage relevant authorities and organisations to strengthen existing data protection measures.
Backstory
The probe by the Commission follows a sequence of events that began circulating online, alleging that hackers had breached the CAC database and possibly accessed millions of corporate records.
These claims alleged that approximately 25 million documents may have been exfiltrated from the infrastructure of the Corporate Affairs Commission.
Amid growing speculation, the CAC confirmed a full-scale breach. In its first official statement, the Commission described the incident as affecting “limited aspects” of its information systems and said it had activated internal response protocols while working with the National Information Technology Development Agency (NITDA) and other partners to assess the impact.
The agency also advised users to update their login credentials and monitor their records, signalling concern that sensitive data such as account details or corporate records could have been exposed or targeted.
More insights
The Commission said the investigation into CAC will examine critical areas, including:
- Access control mechanisms
- Data Privacy Impact Assessments
- Vulnerability Assessment and Penetration Testing (VAPT)
- Due diligence on third-party data processors
It added that the probe forms part of broader regulatory efforts to reinforce safeguards around the processing of personal data in Nigeria.
The NDPC also assured the public that Nigeria’s data protection frameworks remain strong, noting that increasing adoption of digital services reflects growing confidence in the system.
What you should know
There have been a series of recent investigations launched by the Nigerian Data Protection Commission into major organisations handling sensitive personal data.
- Weeks back, the Commission opened an investigation into alleged data breaches involving Remita Payment Services and Sterling Bank, following claims of large-scale data exposure linked to cyber threat actors.
- The probe was triggered by reports that a threat actor had accessed massive datasets, including sensitive financial records, identity documents, and internal system data.
- Earlier in February 2026, the NDPC also launched an investigation into e-commerce platform Temu over concerns surrounding the handling of personal data belonging to about 12.7 million Nigerians, highlighting growing scrutiny across digital platforms.
They have also stepped up warnings over growing cyber threats and attacks on financial systems, telecommunications networks, cloud platforms, and public sector databases.
