Information regulator launches investigation into CIPC

 ·26 Mar 2024

The Information Regulator for South Africa says it has launched an own-initiative investigation into the Companies and Intellectual Property Commission (CIPC) following a widely publicised security breach of its systems.

CIPC – an agency inside the Department of Trade, Industry, and Competition where companies, co-operatives, and intellectual property are registered – issued a notice on 29 February that its systems were compromised and the personal information of its clients and employees was exposed.

While CIPC claimed at the time that the breach was contained and curtailed, the alleged hackers told MyBroadband that this is not the case: they still have access to parts of the system, and information is still exposed.

The hackers added that the security vulnerability that was exploited has existed since at least 2021. CIPC did not comment on these claims but published statements reassuring clients that it had invested heavily in security and that it had taken measures to protect data.

Shortly after the hackers revealed that they were still in the system, CIPC adopted a new customer verification process to further lock down accounts. The new system requires verification of personal information with the Department of Home Affairs (DHA).

The commission also noted that it notified the Information Regulator, the South African Police Service, and the State Security Agency of the security compromise.

Announcing the investigation into the breach, the information regulator raised concerns about reports it received that the CIPC systems are still compromised.

“Reports received by the Regulator indicate that the threat actors that breached the CIPC systems are still in the CIPC IT environment, and the CIPC systems remain compromised,” it said.

“Another point of inquiry regarding the CIPC’s organisational and technical measures for protecting personal information will be whether the CIPC’s business model facilitates the selling and buying of personal information in its possession.”

Read: CIPC securing accounts after major hack – what you need to know

Show comments
Subscribe to our daily newsletter