Nigeria NDPC Probe

Nigeria’s data regulator has opened a formal investigation into the Corporate Affairs Commission after the agency confirmed a cyber incident affecting parts of its systems. (nairametrics.com) The Nigeria Data Protection Commission said on April 17 that it was acting under Section 46(3) of the Nigeria Data Protection Act, 2023, and directed its technical team to work with other authorities on the case. (technext24.com) The Corporate Affairs Commission had disclosed two days earlier, on April 15, that it was reviewing “unauthorised access to limited aspects” of its information systems and was working with the National Information Technology Development Agency and other partners to assess the impact. (nairametrics.com) The affected platform is not a minor website. The Corporate Affairs Commission runs Nigeria’s corporate registry, where companies and business names are incorporated, searched, and updated through its online portal. (cac.gov.ng) That makes the regulator’s move more than a technical review. The Nigeria Data Protection Act puts complaints, investigations, enforcement orders, judicial review, and civil remedies in the same enforcement section of the law, giving the commission a clear path from inquiry to sanctions if it finds violations. (ndpc.gov.ng) The law also sets a 72-hour breach notification rule when a breach is likely to risk people’s rights and freedoms. It requires a data controller to notify the commission and describe the nature of the breach, including the categories and approximate numbers of affected people and records where feasible. (ndpc.gov.ng) The Corporate Affairs Commission told users to monitor records on the portal, change login credentials, and watch for unsolicited messages. On its public search site, it also posted a “security update” notice saying the portal would be unavailable from midnight on April 17 to midnight on April 19 for a critical system upgrade. (nairametrics.com) (cac.gov.ng) The Nigeria Data Protection Commission said its probe will examine access controls, data privacy impact assessments, vulnerability testing, and due diligence on third-party processors tied to the Corporate Affairs Commission’s systems. (nairametrics.com) Outside reports have cited online claims that as many as 25 million documents were exfiltrated, but the Corporate Affairs Commission has not publicly confirmed that figure or identified which records were accessed. Its public statements have described the intrusion only as affecting limited parts of its systems. (nairametrics.com 1) (nairametrics.com 2) The next step is no longer just incident response inside one agency. The case is now in the hands of the body Nigeria created in 2023 to police how institutions collect, secure, and process personal data. (ndpc.gov.ng)