Lawyers Without Borders Raises The Alarm Over CAC Data Breach
Avocats Sans Frontières France has expressed concern over a recent data breach at the Corporate Affairs Commission, warning that the incident could undermine the privacy rights of Nigerian entrepreneurs.
The organisation, also known as Lawyers Without Borders, made its position known in a statement issued on Tuesday, and signed by its Country Director, Angela Uwandu Uzoma-Iwuchukwu, a copy made available to our correspondent in Enugu.
The group’s reaction follows an earlier disclosure by the CAC, which, in a public notice dated April 15, confirmed that it was reviewing a cybersecurity incident involving unauthorised access to parts of its information systems.
“The Corporate Affairs Commission is currently reviewing a cybersecurity incident involving unauthorised access to limited aspects of its information systems,” the commission stated, adding that it had activated response protocols and was working with the National Information Technology Development Agency and other stakeholders to assess the scope of the breach.
‘The CAC noted that containment measures had been implemented and additional safeguards put in place to protect its systems.
However, ASF France alleged that the breach, reportedly linked to a threat actor identified as “ByteToBreach,” led to the compromise of sensitive personal data, including handwritten signatures, national identity documents and passport photographs.
The organisation described the incident as a violation of the constitutional right to privacy and a breach of obligations under the Nigeria Data Protection Act 2023.
It faulted the CAC’s handling of the situation, citing inadequate disclosure and lack of clarity in its public communication.
According to ASF France, the failure to disclose the number of affected individuals has left many Nigerians uncertain about the extent of the breach. It also criticised the characterisation of system disruptions as “scheduled maintenance,” saying such communication could erode public trust.
The group further stated that the CAC had not fully complied with provisions of the data protection law requiring direct notification of affected individuals in high-risk breaches.
ASF France also raised concerns over the absence of clear mechanisms for victims to seek redress or protect their identities, including measures for flagging or reissuing National Identification Numbers and passports.
While acknowledging the involvement of the Nigeria Data Protection Commission and NITDA, the organisation urged authorities to adopt more proactive measures.
It warned that reports of a cascading failure involving third-party payment systems and the banking sector pointed to deeper vulnerabilities in the commission’s digital infrastructure.
The group called for an independent forensic audit of the CAC’s cybersecurity framework, stronger regulatory enforcement, and the introduction of identity protection measures for affected persons.
It also urged the Federal Government to adopt data minimisation practices and establish a framework to protect victims from identity theft.
In addition, ASF France called on the National Assembly to summon CAC officials to provide explanations and outline steps to strengthen cybersecurity measures, including regular vulnerability assessments.
“The personal data of Nigerian citizens is a sacred trust,” the statement added, stressing the need for improved accountability and transparency in data protection.
