NDPC Opens Probe into CAC Data Breach, Issues Nationwide Cyber Advisory

TL;DR **Nigeria’s data protection regulator has launched an investigation into a suspected breach at the Corporate Affairs Commission and issued a nationwide advisory urging stronger safeguards.** The advisory calls for certified data protection officers, multi‑factor authentication, and zero‑trust architecture.

Context The Nigeria Data Protection Commission (NDPC) said on Friday it had commenced an investigation under the Nigeria Data Protection Act, 2023 after the Corporate Affairs Commission (CAC) reported reviewing a cybersecurity incident involving unauthorized access to limited parts of its information systems. The NDPC noted that threat actors are increasingly targeting key databases with coordinated operations.

Key Facts NDPC’s announcement cited Section 46(3) of the NDP Act as the legal basis for the probe. The CAC stated it is reviewing the incident and has deployed containment measures, though it did not disclose the number of records exposed or the attack vector. In a separate statement, the NDPC issued a regulatory advisory to all data controllers and processors, recommending the appointment of certified Data Protection Officers, implementation of privacy policies, conducting Data Privacy Impact Assessments, deploying multi‑factor authentication, and adopting zero‑trust architecture. The advisory also urged immediate remediation of vulnerabilities, continuous patch management, network segmentation, real‑time monitoring, encryption of data at rest and in transit, regular backups, and routine Vulnerability Assessment and Penetration Testing (VAPT).

What It Means The investigation signals heightened regulatory scrutiny for public sector entities handling personal data. Organizations may face enforcement actions if gaps in access controls, impact assessments, or third‑party risk management are found. The advisory sets a baseline expectation for technical and organisational measures, aligning Nigerian requirements with international frameworks such as NIST CSF and ISO 27001.

Mitigations Data controllers should appoint a certified DPO to oversee compliance, conduct a DPIA for high‑risk processing, and enforce MFA on all privileged and remote access. Implement zero‑trust principles by verifying every request, segmenting networks, and limiting lateral movement. Apply security patches within vendor‑recommended timelines, maintain an asset inventory, and run regular VAPT on critical systems. Enable centralized logging with alerts for anomalous access, encrypt sensitive data, and test backup restoration quarterly.

Watch for the NDPC’s forthcoming findings and any enforcement actions that may shape future data protection enforcement in Nigeria.