Nigeria’s data protection regulator says it has launched an investigation into a suspected compromise of the country’s corporate registry systems, raising fresh concerns about the resilience of critical digital infrastructure underpinning business operations.
The Nigeria Data Protection Commission says it is probing an alleged data breach at the Corporate Affairs Commission, signalling what could be one of the most consequential cybersecurity incidents affecting Nigeria’s corporate database ecosystem.
In a statement issued on April 17, 2026, Babatunde Bamigboye, Head, Legal, Enforcement & Regulations at NDPC confirms that the agency has “initiated an investigation into the reported data breach at the Corporate Affairs Commission (CAC)” pursuant to Section 46(3) of the Nigeria Data Protection Act, 2023.
The data protection regulator says the probe is part of broader efforts to maintain confidence in Nigeria’s digital economy, stating that the investigation “underscores the importance of fostering trust in Nigeria’s economic environment.”
The Nigeria Data Protection Commission says it is probing an alleged data breach at the Corporate Affairs Commission, signalling what could be one of the most consequential cybersecurity incidents affecting Nigeria’s corporate database ecosystem.
NDPC flags sophisticated cyber threats
The Commission’s disclosure points to increasingly advanced cyber threats targeting national data systems, with the regulator warning that malicious actors are deploying complex methods to breach sensitive infrastructure.
According to the NDPC, “threat actors in the digital space have devised malicious methods of compromising the data security architecture of key databases,” adding that such attacks now involve “large-scale data exfiltration and cross-platform compromise across interconnected systems.”
This suggests that the alleged breach at CAC may not be an isolated incident but part of a broader pattern of coordinated cyber operations targeting critical data repositories across Nigeria.
The Commission stops short of detailing the scale or impact of the breach at CAC but indicates that the investigation will be comprehensive and technically rigorous.
The NDPC outlines a multi-layered investigative approach that will scrutinise key components of CAC’s data protection architecture.
It says the investigation will “cover the procedures and outcomes of Access Control Mechanisms, Data Privacy Impact Assessments, Vulnerability Assessment and Penetration Testing (VAPT), as well as due diligence on third-party data processors.”
This scope reflects a deep-dive into both internal controls and external dependencies, particularly the role of third-party processors, which are often a weak link in complex data ecosystems.
The Commission also signals that enforcement and remediation will be coordinated across institutions, noting that the National Commissioner/CEO, Vincent Olatunji, has “directed the Commission’s technical team to immediately interface with relevant authorities and pivotal organisations, with a view to reinforcing existing guardrails for the processing of personal data.”
Despite the seriousness of the probe, the NDPC seeks to reassure the public about the overall integrity of Nigeria’s data protection framework.
“The NDPC assures members of the general public that frameworks for data protection, in terms of technology and other requisite resources in Nigeria, remain fundamentally strong,” the Commission says.
It adds that this strength is “evident in the increasing rate of access to data-driven services,” suggesting that digital adoption trends remain robust despite emerging risks.
The regulator sees its intervention as part of ongoing efforts to sustain trust and investment, stating that its actions are “necessary regulatory actions geared towards sustaining public trust in these services and bolstering continuous investment in Nigeria’s digital economy.”
NDPC advisory highlights escalating national risk
The CAC investigation follows closely on the heels of a broader regulatory advisory issued by the NDPC on Thursday, warning of escalating threats to Nigeria’s data security architecture.
In that advisory, the Commission states that its “technical assessment indicates that some shadowy threat actors have engaged in coordinated operations targeting financial systems and some key digital infrastructure in Nigeria.”
The language underscores a systemic risk environment in which multiple sectors, including financial services and government databases, are increasingly exposed to sophisticated cyber threats.
The NDPC highlights the advisory as a directive to all data controllers and processors, stating that it is issued “in response to the escalating threat to data security infrastructure.”
Presidential directive reinforces data protection urgency
The Commission anchors its advisory in national policy, referencing a directive by President Bola Ahmed Tinubu that elevates data governance as a strategic priority.
Quoting the President, the NDPC recalls the declaration that “Data is the new oil, its value increases the more it is refined and responsibly shared.”
The directive further mandates public sector compliance, with the President stating: “I therefore direct all Ministries, Extra-Ministerial Departments and Agencies to capture information rigorously and safeguard it under the Nigeria Data Protection Act 2023.”
This policy framing reinforces the significance of the CAC probe, positioning it within a broader national agenda to secure data as a critical economic asset.
In response to the heightened threat landscape, the NDPC is calling for immediate action across both public and private sector organisations.
The Commission “strongly advises that data controllers and processors (including MDAs) are to urgently step-up their technical and organisational measures to ensure the privacy of all Nigerians and other data subjects in line with the Nigeria Protection Act, 2023 (NDP Act).”
This directive signals a shift from advisory to expectation, with regulators emphasising proactive compliance rather than reactive remediation.
The directive further mandates public sector compliance, with the President stating: “I therefore direct all Ministries, Extra-Ministerial Departments and Agencies to capture information rigorously and safeguard it under the Nigeria Data Protection Act 2023.”
Detailed compliance measures outlined
The NDPC provides an extensive checklist of measures that organisations are expected to implement to strengthen their data protection posture.
These include the “appointment of duly trained and certified Data Protection Officers” and the “development and effectual implementation of Privacy Policies and information security standards.”
Organisations are also required to undertake “Data Privacy Impact Assessments” and deploy “robust identity and access controls, including Multi-Factor Authentication (MFA).”
The Commission further emphasises modern security architectures, calling for the “implementation of zero-trust security architecture and network segmentation,” alongside “immediate remediation of identified system vulnerabilities and continuous patch management.”
Additional measures focus on securing digital infrastructure, including “cloud infrastructure, APIs, databases, and access credentials,” as well as implementing “real-time monitoring, logging, and threat detection mechanisms.”
The advisory also highlights the importance of cryptographic controls, recommending the “implementation of encryption, key management, and secure credential handling.”
To ensure system resilience, organisations are instructed to conduct “Vulnerability Assessment and Penetration Testing (VAPT) on critical systems” and maintain “regular backup, recovery, and resilience testing.”
The NDPC makes clear that compliance is not optional, warning that failure to implement required measures could attract legal consequences.
“Organisations that fail or neglect to implement appropriate measures as required under the Nigeria Data Protection Act, 2023 may incur legal liabilities,” the Commission states.
At the same time, it offers support for compliance efforts, noting that it “is prepared to provide requisite regulatory support to organisations in order to ensure adequate level of data privacy and protection.”
The regulator reiterates its institutional mandate, stating that it “remains committed to protecting personal data, strengthening institutional resilience, and ensuring compliance across all sectors.”
CAC breach probe signals broader systemic implications
The convergence of the CAC investigation and the national advisory highlights a critical moment for Nigeria’s digital governance framework.
The alleged breach at the Corporate Affairs Commission is significant not only because of the volume and sensitivity of corporate data involved, but also because of its central role in Nigeria’s business ecosystem.
As the official repository of company registrations and corporate records, CAC’s database underpins business identity, compliance, and transactional trust across sectors.
A compromise of such infrastructure, if confirmed, could have ripple effects across:
* corporate governance systems
* financial services verification processes
* investor confidence
* regulatory compliance frameworks
“Organisations that fail or neglect to implement appropriate measures as required under the Nigeria Data Protection Act, 2023 may incur legal liabilities,” the Commission states.
Data-driven economy faces trust test
The NDPC’s actions suggest that Nigeria’s transition to a data-driven economy is entering a phase where security and trust are becoming as critical as access and innovation.
While the Commission maintains that existing frameworks are “fundamentally strong,” the dual issuance of a breach investigation and a national advisory indicates that regulators are responding to heightened threat intensity and systemic exposure.
The CAC probe, therefore, is more than an isolated enforcement action, it is a stress test of Nigeria’s data protection architecture.
With the investigation underway, stakeholders across government and industry are likely to face increased scrutiny regarding their data governance practices.
The NDPC’s emphasis on areas such as:
* access control mechanisms
* third-party processor due diligence
* vulnerability testing
signals where regulatory focus will be concentrated in the coming months.
Organisations operating critical data systems may need to reassess their compliance posture in light of the Commission’s detailed advisory and enforcement stance.
Home
