Nigeria’s corporate registry crisis has escalated following fresh allegations that approximately 25 million documents may have been exfiltrated from the systems of the Corporate Affairs Commission (CAC), even as the agency continues its official review of a cybersecurity incident involving unauthorised access to parts of its infrastructure.
The CAC had earlier confirmed that it was investigating a breach affecting “limited aspects” of its information systems, stating that it had activated response protocols and was working with the National Information Technology Development Agency (NITDA), alongside other government agencies and partners, to assess the scope and impact. The Commission also assured stakeholders that containment measures had been implemented and additional safeguards put in place.
However, new claims circulating within cybersecurity monitoring circles suggest the breach may be far more extensive than initially disclosed. According to the alleged threat actor identified as “ByteToBreach,” about 25 million documents were extracted from CAC infrastructure, with approximately 750GB of data reportedly made available for download. The claims, which remain unverified by authorities, include assertions that the breach followed multiple stages—ranging from initial system penetration to full access and eventual data exfiltration.
The alleged dataset is said to include a mix of corporate filings, registration records, and other sensitive documentation tied to Nigeria’s company registry. The threat actor further claimed that roughly 25 percent of the files consisted of basic corporate signatures, while more than 15 million documents contained substantive records. Screenshots purportedly showing different phases of the attack—labelled from “breakthrough” to “exfiltration”—have also been circulated as proof, though their authenticity has not been independently confirmed.
In its official notice, the CAC urged stakeholders to remain vigilant, advising users to monitor their records on the agency’s portal, update login credentials, and exercise caution regarding unsolicited communications. The Commission reiterated its commitment to safeguarding the integrity of Nigeria’s corporate registry and pledged to provide updates as investigations progress.
While authorities have not confirmed the scale of the alleged breach, the development has heightened concerns about data security within critical government systems, particularly those handling sensitive corporate and financial information. Analysts warn that if substantiated, the incident could have far-reaching implications for investor confidence, regulatory compliance, and digital trust in Nigeria’s business environment.
