Nigeria's Corporate Affairs Commission Hit by Data

Nigeria's Corporate Affairs Commission (CAC), the government agency responsible for business registration and corporate governance oversight, has become the target of a significant data security incident, triggering a formal investigation by the Nigeria Data Protection Commission (NDPC). The breach—and the institutional response to it—exposes critical vulnerabilities in Africa's largest economy's digital infrastructure, with serious implications for European entrepreneurs and investors operating across Nigerian markets.

The NDPC launched its investigation under provisions of the Nigeria Data Protection Act 2023, Nigeria's landmark privacy legislation enacted to establish comprehensive data protection standards across public and private sectors. The formal investigation signals that authorities are treating this incident with appropriate urgency, yet the very fact that such a breach occurred at a foundational government institution raises troubling questions about the state of cybersecurity governance in Nigeria.

The CAC's response involved a three-day portal shutdown from April 17-20, 2026, officially framed as "scheduled maintenance" but transparently linked to the breach concerns. This shutdown affected thousands of businesses attempting to register, renew licenses, or access corporate filings—critical functions for any company operating in Nigeria. For foreign investors managing Nigerian subsidiaries or joint ventures, such interruptions create operational friction and underscore the risks of relying on single points of failure within Nigeria's institutional infrastructure.

The breach is particularly concerning because the CAC database contains highly sensitive information: business registration details, director identities, shareholding structures, financial filings, and corporate addresses. This data is foundational to corporate governance verification. If compromised, it could expose European-owned firms to identity theft, targeted fraud, competitive intelligence gathering, or regulatory exploitation by bad actors. The CAC's database is also frequently cross-referenced by banks, investors, and regulators—meaning contaminated or manipulated data could propagate through Nigeria's entire financial ecosystem.

From a governance perspective, this incident highlights why the NDPC's enforcement authority—newly strengthened under the 2023 Data Protection Act—matters significantly. The Act imposes substantial penalties for data breaches and mandates transparent incident disclosure. However, the CAC breach demonstrates that regulatory frameworks, however well-designed, are only as effective as the institutions implementing them. If the government's own agencies lack adequate cybersecurity infrastructure, investor confidence in data protection across Nigeria erodes.

For European investors, this creates a multi-layered risk. First, there is direct operational risk: reliance on the CAC portal for corporate governance compliance. Second, there is reputational and legal risk, particularly for firms subject to GDPR or other EU data protection requirements—if Nigerian subsidiaries store shareholder or employee data that flows through compromised government systems, European parent companies could face regulatory scrutiny. Third, there is financial risk: breach-related litigation, forensic investigations, and remediation costs often fall on affected businesses, not government agencies.

The NDPC's investigation will likely produce recommendations for CAC system hardening, but investigations take time. In the interim, foreign investors should conduct immediate audits of their CAC filings, assume that sensitive corporate information may have been exposed, and review their cyber insurance coverage for Nigeria-specific liabilities. Additionally, firms should diversify their verification processes—relying on independent corporate due diligence providers rather than solely on government databases until confidence in CAC system integrity is publicly restored.

This incident is a reminder that investing in Africa's largest economy requires contingency planning for institutional fragility, even when governance frameworks appear robust on paper.