Nigeria's company registry has been breached and 25 million documents may be exposed

Nigeria's Corporate Affairs Commission confirmed on 15 April that its information systems were breached by an unauthorised party. A threat actor operating under the name ByteToBreach claims to have exfiltrated approximately 25 million documents. The CAC described the incident as involving unauthorised access to limited aspects of its systems. It has not confirmed the scale claimed by the attacker.

The CAC holds company registration records, director and shareholder data, KYC documents, and corporate filings for every registered business in Nigeria. In 2025 alone, 245,000 new entities were registered with the commission.

The commission said appropriate containment measures have been implemented and that it is collaborating with the National Information Technology Development Agency and other government agencies. It advised users to update login credentials, monitor records on the CAC portal, and be cautious of unsolicited communications.

The Nigeria Data Protection Commission responded on 16 April with a regulatory advisory disclosing that its own technical assessment revealed coordinated attacks targeting financial systems and critical digital infrastructure nationwide. The NDPC mandated appointment of certified data protection officers, privacy impact assessments, multi-factor authentication, and zero-trust security architecture across all data controllers and processors.

Nigeria recorded 4,090 cyber attacks per organisation per week in March 2026, the highest of any African nation and nearly double the continental average.

The Ghana connection

The breach is a case study for why the Bank of Ghana issued its revised Cyber and Information Security Directive in March 2026, replacing the outdated 2018 framework with mandates for board-level cyber risk accountability, data sovereignty requirements, and zero-trust architecture. The CAC breach demonstrates what happens when a government registry holding millions of sensitive business records operates without those protections.

Senegal's Directorate of File Automation was hit by ransomware in January 2026, with 139 GB of biometric data exfiltrated from the national ID system serving 19.5 million citizens. Biometric data, unlike passwords, cannot be reset.

Nigeria's company registry has been breached and 25 million documents may be exposed

The Ghana connection

Asiama says fintechs get innovation space but not at the cost of regulation; AGI says the rules aren't clear enough

Goosie Tanoh wants a new Cooperative Legislation Bill; the 1968 law it would replace sits over GH¢2.68 billion in assets

Sam George launched a $270 million AI strategy; an ecosystem insider's op-ed asked where the friction goes

The Ghana connection

More in Paper Trail

Parliament backs Ghana Gas the day after Akosombo burns; the tariff fight has not gone away

Asiama says fintechs get innovation space but not at the cost of regulation; AGI says the rules aren't clear enough

Goosie Tanoh wants a new Cooperative Legislation Bill; the 1968 law it would replace sits over GH¢2.68 billion in assets

Sam George launched a $270 million AI strategy; an ecosystem insider's op-ed asked where the friction goes