On April 20, 2026, the Corporate Affairs Commission (CAC) of Nigeria fell victim to a sophisticated ransomware attack orchestrated by the threat actor group known as ByteToBreach. Initial reports indicate that approximately 25 million files (750 GB) were exfiltrated, including 15 million sensitive documents ranging from incorporation records to beneficial ownership data.

As your legal counsel, we understand the profound concerns this incident raises regarding corporate privacy and the integrity of the Nigerian business environment. This note outlines our assessment of the situation and the immediate, proactive steps we are taking to safeguard your interests.

1. Nature and Scope of the Breach

The breach was executed through a comprehensive system compromise, resulting in the unauthorized access of:

• Company Registration Records: Legal identities, director profiles, and shareholder structures.
• Beneficial Ownership Data: Information critical to anti-money laundering (AML) compliance and transparency.
• Internal Legal Documents: Scanned copies of company constitutions and certified true copies (CTCs) of filings.

The hackers have leaked portions of this data onto file-hosting sites. While the Nigeria Data Protection Commission (NDPC) has opened a full-scale investigation and the CAC portal has been temporarily suspended for security upgrades, the immediate risk of identity theft and corporate fraud remains heightened.

2. Our Position: A Commitment to Security

We wish to reassure our clients that our firm’s internal systems remain entirely unaffected by this breach. Our commitment to the security of your legal and corporate data is absolute. In response to this industry-wide threat, we have:

• Isolated CAC-related Files: Implementing additional encryption layers for all CAC documents stored within our infrastructure.
• Enhanced Verification Protocols: Instituting a mandatory “double-check” system for any instructions involving fund transfers or changes to corporate mandates.
• Active Monitoring: Our cybersecurity team is monitoring dark web forums for any specific mentions of our clients’ corporate data to provide early warning alerts.

3. Strategic Risk Mitigants for Your Business

While the national registry faces this challenge, we recommend that your organization adopts a “defensive posture” immediately. Information is currently a liability; vigilance is your primary asset.

• Audit Internal Access: Review who has access to your company’s registration portal credentials.
• Beware of “CEO Fraud”: Be extremely skeptical of sudden requests for payment or sensitive information, even if they appear to come from legitimate corporate directors or use official-looking CAC documents as “proof.”
• Credential Reset: Change all passwords associated with corporate filings and enable Multi-Factor Authentication (MFA) across all financial and administrative platforms.
• Monitor Due Diligence Requests: If banks or third parties request CAC documents for KYC purposes, ensure you provide them through secure, verified channels.

4. The Regulatory Outlook

This incident is likely to trigger a significant shift in Nigeria’s digital policy. We expect:

• Stricter Enforcement: The NDPC may move toward more aggressive auditing of government agencies and private firms.
• Systemic Upgrades: The CAC is currently undergoing maintenance to implement more robust security architectures to restore international and domestic trust in the register.
• Legal Recourse: We are evaluating potential liabilities and the possibility of administrative relief for businesses whose sensitive data has been compromised.

Final Assurance

Nigeria’s rapid digital expansion has outpaced its current security framework, but this is a moment for institutional maturation, not retreat. We are working closely with regulatory bodies to ensure that your corporate standing remains secure despite this temporary disruption.

We remain at your disposal for any specific concerns regarding your company’s data footprint or to discuss individual risk-mitigation strategies.

Disclaimer: This note is for informational purposes and provides general guidance. It does not constitute formal legal advice tailored to specific circumstances.