- In a media briefing, South Africa’s Information Regulator has launched an independent investigation into the Companies and Intellectual Property Commission (CIPC) following a security breach in its systems.
- The regulator stated that it had received reports that the perpetrators who hacked the system were still in the CIPC IT environment and that the CIPC systems remained compromised.
- Additionally, the regulator said it will be finding out whether CIPC’s business model facilitates the trading of personal information in its possession. This relates to CIPC’s organisational and technical safeguards for personal information.
CIPC, as part of the Department of Trade, Industry, and Competition, handles registration relating to companies, co-operatives, and intellectual property.
On February 29, 2024, the agency informed the public that it had experienced an “attempted” security breach and that the personal information of clients and employees had been compromised. The information includes the names and addresses of the registered clients.
While CIPC stated that the extent of the exposure is being investigated and will be communicated soon, a group claiming responsibility for the hack told My Broadband that the CIPC system has been vulnerable for a long time, claiming that they have had access to the system since 2021.
The attackers claim they have downloaded all of Sword South Africa’s source code for the systems they exploited, and they used an exploit in a system created for the CIPC to make the event possible.
Now, the group is asking for $100,000 [R1.9 million] to delete everything and maintains they still have access despite CIPC’s efforts to remove them.
The regulator also provided an update on TransUnion, a credit bureau in South Africa, which experienced a data breach in March 2022. The regulator said that after its assessment, it found that TransUnion violated the conditions for the lawful processing of personal information.
Consequently, it has served TransUnion with an enforcement notice requesting it strengthen its data management and security protocols. Following the enforcement notice, the credit bureau must submit proof to address the process by May 26, 2024.
