-
A hacker named ByteToBreach broke into Nigeria’s corporate database and stole sensitive documents like passports, signatures, and court affidavits.
-
The Corporate Affairs Commission (CAC) confirmed the breach but claims only limited systems were affected.
-
Nigeria’s data regulator is now investigating, but this marks the second major breach in weeks after a similar attack on payment platform Remita.
Nigeria’s Corporate Affairs Commission (CAC) has experienced a hack attack. The hacker walked away with people’s most private documents, exposing how weak security is on many state-controlled sites.
On its part, the CAC confirmed the attack, but maintains that it only affected a small fraction of its database.
The Actor Behind the Attack
The dark web hacker goes by ByteToBreach. You might remember the name. Just days earlier, he hit Remita, a major payment platform used by banks and government agencies. He leaked customer KYC data from that breach, too.
Now he’s back. This time, he targeted CAC’s AI-powered registration database.
ByteToBreach is not alone in targeting government institutions, the European Commission was recently hit by a cyberattack, with hackers claiming to have stolen 350GB of data, demonstrating that government agencies worldwide, from Nigeria to the European Union, are under constant siege from cybercriminals seeking sensitive information.
On Wednesday, CAC admitted that something went wrong. The commission called it “a cybersecurity incident involving unauthorised access to limited aspects of its information systems.”
They said they activated response protocols. Currently, they’re teaming up with NITDA, a Nigerian technology watchdog, and a couple other major players. In addition, they’ve urged customers to monitor their info, change login credentials, and be alert in case of suspicious messages.
What the Hacker Got His Hands On
Let me tell you what ByteToBreach accessed. It’s a long list. He grabbed password repositories, court affidavits, signatures, and national identity cards. He also took company resolutions, passports, passport photographs, and voter cards.
Even signatures and IDs. These are the exact documents Nigerians submit when registering a business, company, or NGO with CAC. The hacker shared redacted samples as proof. FIJ reviewed them.
Data samples the hacker shared
CAC says only a fraction of its systems got breached. But here’s the real risk: that data can cause real harm. Hackers like ByteToBreach often sell institutional databases to cybercriminals. Those buyers then use the info for blackmail, impersonation, or outright theft.
Millions of Nigerians Could Be at Risk
To put the numbers in perspective, Nigeria has over four million registered business entities. With the help of AI, CAC now processes 10,000 plus registrations daily. And it has been so since July last year. Initially, they could handle up to 2.5 million within a few months, which is no small number.
This means thousands of Nigerians trust their sensitive information in the hands of the CAC every day. And now, some of that trust looks broken.
Nigeria’s Data Regulator Probe Into Recent Leaks
Remember the Remita breach from March 31? ByteToBreach claimed responsibility for that one too. He published personally identifiable data from Remita’s KYC database.
After FIJ reported the story, the NDPC, Nigeria’s data watchdog, finally spoke up and said it’s looking into Remita, Sterling Bank, and some other companies. They already sent out notices at the start of April and are now collecting details from those involved.
Meanwhile, the NDPC needs to answer some crucial questions. What kind of data leaked? How severe is the breach, and what possible dangers would the victims of the breach have to deal with? They are also checking whether any mitigation measures happened.
Dr. Vincent Olatunji, the National Commissioner, said the probe might go further. He wants to examine any company running digital payment systems without proper safeguards under Nigeria’s Data Protection Act.
Sadly, the NDPC only confirmed the Remita investigation after FIJ’s report broke their silence. And now, with CAC also breached, the regulator has another mess on its hands.
What the Law Actually Requires
Based on Nigeria’s Data Protection Act, if an organization notices a breach in their system, they should tell the NDPC within 72 hours. That means sharing exactly what happened, what kinds of info might’ve leaked, and how many people are caught up in the mess. Also, they have to detail possible risks the exposure might cause for the victims.
If the chances of the breach exposing victims to scams or identity theft are high, the organization is under obligations to notify affected users. And when sending the alerts, the company must include practical advice on how the user can avoid these risks. Like changing their passwords, credit monitoring, and replacing a compromised ID.
So far, it’s unclear if CAC or Remita followed those rules. What is clear: a dark web hacker is now sitting on a goldmine of Nigerian personal data. And the clock is ticking before that data gets sold to the highest bidder.
