NDPC Opens Probe into CAC Cyberattack Amid Rising Data Breach Concerns

The Nigeria Data Protection Commission (NDPC) has launched a formal investigation into the recent cyberattack on the Corporate Affairs Commission (CAC), following reports of unauthorised access to its systems.

The move was confirmed in a press statement dated April 17, 2026, signed by Babatunde Bamigboye, Head of Legal, Enforcement, and Regulations. The commission cited provisions of the Nigeria Data Protection Act 2023 as the legal basis for its intervention.

According to the NDPC, its National Commissioner and CEO, Vincent Olatunji, has directed a technical team to work with relevant stakeholders to assess the breach and strengthen data protection systems.

The investigation will examine key areas including access controls, vulnerability testing, data protection impact assessments, and the role of third-party service providers connected to CAC’s infrastructure.

The commission expressed concern over the increasing sophistication of cyber threats targeting Nigerian institutions, noting that recent attacks have involved coordinated breaches and large-scale data extraction.

CAC had earlier acknowledged the incident on April 15, describing it as limited unauthorised access and stating that it had activated response protocols in collaboration with the National Information Technology Development Agency (NITDA). However, details of the extent of data exposure have not yet been disclosed.

The probe comes amid a series of cybersecurity incidents across Nigeria, including separate investigations into alleged breaches involving financial platforms and institutions.

As Nigeria’s official corporate registry, the CAC holds critical records on businesses and their owners, making the integrity of its systems vital to the country’s economic framework.

The NDPC said its regulatory actions are aimed at maintaining public confidence in digital services while safeguarding data in Nigeria’s growing digital economy.

Meanwhile, CAC has advised users to monitor their accounts, update login credentials, and remain cautious of suspicious communications as investigations continue.