Nigeria's Corporate Affairs Commission (CAC) confirmed on April 15, 2026 that unauthorised actors accessed parts of its information systems, prompting an urgent investigation backed by the National Information Technology Development Agency (NITDA). The CAC operates the country's primary portal for company registration, name reservations, annual returns, and corporate filings, making the incident a potential systemic risk to Nigeria's business registry integrity.

What Happened

In a public notice signed by CAC management, the agency disclosed that it had detected unauthorised access to parts of its information systems and had immediately activated incident response protocols. Registrar-General Hussaini Ishaq Magaji leads the commission through the response, which is being coordinated with NITDA and other government partners to determine the scale and impact of the breach. The CAC has instructed users to update their login credentials and monitor their records as a precautionary measure while the forensic review continues. No specific threat actor, ransomware group, or attack vector has been publicly attributed as of publication.

What Was Taken

The CAC has not yet disclosed the volume or specific categories of data affected. However, the systems involved host highly sensitive business records, including:

• Company registration details and incorporation documents
• Director and shareholder identity data
• Beneficial ownership information
• Annual returns, financial filings, and compliance records
• User account credentials for the CAC online portal

Because the CAC registry underpins corporate identity verification across Nigeria, any exposure of beneficial ownership data or director KYC records would be particularly damaging, enabling downstream fraud, shell company creation, and identity-based attacks against Nigerian firms.

Why It Matters

The CAC sits at the foundation of Nigeria's formal economy. Thousands of businesses, from small startups to multinational corporations, rely on the registry for legal standing, tax compliance, and commercial transactions. A prolonged outage or confirmed data leak would ripple through banking KYC processes, procurement verifications, and cross-border due diligence workflows that depend on authoritative CAC data. The incident also lands at a politically sensitive moment: NITDA Director-General Kashifu Inuwa Abdullahi recently used the GITEX Africa 2026 stage to call for stronger national cyber resilience, and this breach will test whether recent policy rhetoric has translated into operational defence. For threat intelligence teams tracking African government targeting, the CAC compromise continues a pattern of public-sector digitisation outpacing cybersecurity maturity.

The Attack Technique

Technical details have not been released. The CAC's notice confirms only that "unauthorised access" was detected and that response protocols were activated. The guidance issued to users to rotate credentials suggests that account compromise, credential theft, or identity-layer intrusion is a plausible vector, though this has not been confirmed. Historically, registry and filing portals across West Africa have been targeted via exposed administrative interfaces, unpatched web applications, phishing against privileged staff, and third-party integrations. Until NITDA publishes its findings, defenders should treat CAC-linked credentials and exported data as potentially compromised.

What Organizations Should Do

1. Rotate all CAC portal credentials immediately and enforce unique, non-reused passwords for any staff managing corporate filings.
2. Enable multi-factor authentication on CAC accounts where available, and audit which employees hold access to filing portals.
3. Treat any recent CAC correspondence with elevated suspicion, as leaked filer contact data would enable highly targeted phishing against company secretaries and compliance officers.
4. Review KYC and due diligence pipelines that ingest CAC data for anomalies, and cross-reference critical records against internal copies until the registry's integrity is confirmed.
5. Monitor dark web forums and paste sites for CAC-branded data dumps, director PII, or beneficial ownership leaks.
6. Document a contingency plan for filing delays, including regulatory extensions, so that compliance deadlines are not missed during CAC downtime.

Sources: Nigeria's CAC hit by cyberattack, raising fears for business data security - Businessday NG