Mass exfiltration at Nigeria CAC

Nigeria’s Corporate Affairs Commission said on April 15 that it is reviewing a cybersecurity incident involving “unauthorised access” to parts of its systems. (thenigerialawyer.com) The agency said it had activated response protocols and was working with the National Information Technology Development Agency, other government bodies, and partners to assess the scope and impact. It said containment measures were in place and told users to monitor records on the portal and change their login credentials. (thenigerialawyer.com) The Corporate Affairs Commission is Nigeria’s corporate registry. It registers companies, business names, and incorporated trustees, and it keeps the public record for changes in directors, shareholding, and other company filings. (cac.gov.ng) That makes the commission a high-value target. A compromise at the registry can expose corporate filings, identity documents used in registration, and the account credentials that businesses use to update official records. (cac.gov.ng) Nigeria’s data-protection rules require organizations to secure personal data, and the Nigeria Data Protection Act says a controller must notify the Nigeria Data Protection Commission within 72 hours if a breach is likely to risk people’s rights and freedoms. (ndpc.gov.ng) The National Information Technology Development Agency has a broader cybersecurity role in Nigeria’s digital economy. Its mandate includes regulating information-technology practices and strengthening cybersecurity and digital trust. (nitda.gov.ng) The actor named in underground posts, ByteToBreach, has been tracked by multiple threat-intelligence firms since at least June 2025. CyHawk Africa described the group on April 1 as a data-theft operation that breaches networks, copies data, seeks payment, and publishes material anyway. (cyhawk-africa.com) That profile matters in Nigeria because the same actor has recently been tied in outside reporting to claims involving Sterling Bank and Remita. Those earlier claims widened concern about whether attackers were moving from one large Nigerian database to another. (weetracker.com) The commission has not publicly said how the intruders got in, which systems were touched, or how many records were accessed. Its April 15 notice described the incident as access to “limited aspects” of its information systems, a phrase that signals the agency is still narrowing the damage. (thenigerialawyer.com) What comes next is more specific disclosure: what data was exposed, whether the Nigeria Data Protection Commission was notified, and whether businesses must do more than reset passwords and review their filings. For now, the clearest public fact is that Nigeria’s main business registry has confirmed unauthorized access to its systems. (thenigerialawyer.com)