The Companies and Intellectual Property Commission (CIPC) says it is not the only organisation in South Africa that has suffered a data breach.
This comes after a ransomware gang claiming responsibility for an attack on the CIPC’s systems accused the agency of covering up how weak its security really is.
Shortly after the CIPC disclosed that it had been the victim of an “attempted” breach, the hackers contacted MyBroadband.
As proof they were who they claimed, the hackers provided private information from the CIPC database MyBroadband would recognise.
They also provided a sample of data they had exfiltrated from the CIPC containing people’s full names, ID numbers, physical addresses, phone numbers, email addresses, and CIPC passwords.
The anonymous group also showed MyBroadband that it was possible to access someone’s CIPC user account without knowing their password.
In addition, they claimed to have breached the CIPC’s systems in 2021 and infected them with ransomware.
The data sample they provided was posted on Pastebin and dated July 2021.
The group said that after breaking into the CIPC’s systems a second time, they demanded a $100,000 (R1.9 million) payment in exchange for deleting the data they had exfiltrated.
They also said they had discovered a trove of credit card details stored in plain text in the CIPC’s systems, although they assured us they had not taken this data.
“Why? Because although we want money, we are not after the individuals but the bigger organisations!” they said.
“We still have a level of access despite their efforts to remove us,” they said.
In response to these reports, the CIPC issued a statement on its website.
CIPC says it invested heavily in security
“Without detracting from the seriousness of such incident, it’s important to mention that the CIPC is not the only organisation that has been subjected to such a breach,” CIPC Commissioner Rory Voller stated.
“There has been a massive increase of cyberattacks within South Africa and it would seem that as a jurisdiction, we are being targeted.”
The CIPC seemed to take issue with the reports about the ransomware gang that breached its systems.
“Breaching the security infrastructure of any organisation, institution or agency is nothing more than a criminal act and the perpetrators are criminals that should be portrayed as such,” Voller said.
“As a result of the criminal nature of the unlawful and mala fide breach of the CIPC security systems and protocols, the necessary steps will be taken to ensure that the guilty are held responsible for the crimes committed.”
Voller said that as soon as they knew about the breach, the CIPC complied with all requirements in terms of the Protection of Personal Information Act.
It notified the Information Regulator, the South African Police Service, and the State Security Agency of the security compromise. It also published a media statement.
“Every reasonable steps are being taken to ensure that the CIPC systems and platforms are protected from unlawful and/or unauthorised access and abuse, and remain available to our clients for transacting,” said Voller.
“The CIPC has always been aware of the possibility of attacks against its databases and over the years have invested significantly in the best technology to secure the data kept on our registers.”
However, Voller also said that the information in the CIPC’s registers form part of the public domain and can be accessed by anyone when legal and lawful processes are followed.
“Due to the increased regulatory compliance frameworks within South Africa brought about by the General Laws Amendment Act, 22 of 2022, criminals are feeling the pressure,” said Voller.
“As one of the regulators tasked with enforcing compliance to the legislation, the CIPC is not immune to levels of criminality levelled against it.”
The CIPC urged users to change all passwords and login information as an added security measure.
Victim blaming, and treating people’s data with respect
Voller’s admonishment not to victim-blame those who have fallen prey to ransomware attacks and data breaches has merit.
However, he glosses over the allegations that the CIPC’s systems had been breached and data exfiltrated in 2021 without disclosing the attack.
Furthermore, the hackers say that when they returned in 2024, they exploited the same vulnerability to breach the CIPC’s system a second time.
They also claimed the CIPC stored credit card details unencrypted, provided evidence that passwords were stored in plain text, and showed they could access people’s accounts without a password.
According to the attackers, they could even alter company information, like adding and removing directors.
If these allegations prove true, while the CIPC is not to blame for being attacked, it is to blame for not doing enough to secure its systems better.
Loading ...
Join the conversation Autoload comments
Comments section policy: MyBroadband has a new article comments policy which aims to encourage constructive discussions. To get your comments published, make sure it is civil and adds value to the discussion.