Nigeria’s Data Protection Commission Launches Probe into Corporate Affairs Commission Data Breach

**TL;DR** Nigeria’s Data Protection Commission (NDPC) has launched a formal investigation into an alleged data breach impacting the Corporate Affairs Commission (CAC). This action aims to evaluate CAC's security protocols and reinforce data protection standards across public sector operations.

**Context** The Nigeria Data Protection Commission (NDPC) has initiated a formal inquiry into an alleged data breach affecting the Corporate Affairs Commission (CAC). This investigation, conducted under Section 46(3) of the Nigeria Data Protection Act, 2023, addresses reports of compromised data. Cyber threat actors increasingly target critical databases, employing sophisticated tactics like large-scale data exfiltration and cross-platform attacks to compromise interconnected systems.

**Key Facts** The NDPC's investigation will meticulously scrutinize several key areas of CAC's data security architecture. It will specifically examine the integrity and effectiveness of access control mechanisms, which govern who can view or modify data. The probe will also assess past privacy impact assessments, which evaluate potential risks to personal data. Furthermore, the investigation covers vulnerability assessment and penetration testing (VAPT) outcomes, identifying security weaknesses in systems. Finally, due diligence procedures for all third-party data processors involved with CAC data will be reviewed. These measures collectively aim to identify potential gaps that led to the reported incident.

**What It Means** This regulatory action by the NDPC signals a heightened emphasis on data protection compliance for all Nigerian organizations handling personal data. It underscores the critical need for robust data governance and proactive security measures. Organizations must ensure strong access controls, conduct regular privacy impact assessments, and consistently perform vulnerability assessments and penetration testing. Effective due diligence on third-party vendors, who often handle sensitive data, is also paramount to preventing supply chain attacks. The NDPC states these efforts are crucial for maintaining public trust in Nigeria’s expanding data-driven services. Such regulatory oversight encourages continued investment and confidence in the nation's digital economy. All entities managing personal data should now proactively review and strengthen their data protection frameworks.