Corporate Affairs Commission (CAC) Database Exposed — Business Registration Data of Millions Leaked

What Happened

Security researchers discovered that the Corporate Affairs Commission (CAC), the Nigerian government agency responsible for business registration, had an unsecured API endpoint that exposed sensitive business and personal data without authentication.

Scope of the Exposure

The exposed endpoint returned detailed records including company registration details and RC numbers, directors' full names, home addresses and phone numbers, BVN and NIN numbers linked to business registrations, shareholding structures and financial filing histories, and memoranda and articles of association documents.

Discovery and Disclosure

A Nigerian cybersecurity researcher discovered the vulnerability during routine research and attempted to report it through responsible disclosure. The CAC initially did not respond to the disclosure, and the endpoint remained active for several weeks before being secured.

Implications

This breach has serious implications for Nigeria's business community. With directors' personal information and BVN numbers exposed, affected individuals face heightened risk of corporate identity fraud, where criminals could register companies in their names or impersonate them in financial transactions.