WHAT’S HAPPENING AT CIPC?
If you’re a business-y person living in South Africa, you’ve probably heard about this. For those of you not clued up, there was a recent cybersecurity breach at the South African Companies and Intellectual Property Commission (CIPC). The CIPC initially let the cat out of the bag on 29 February 2024 through a public notice which acknowledged unauthorised access to the personal information of their clients and CIPC employees.
Despite attempts to downplay the severity of the incident, it seems that the impact was far worse than CIPC initially indicated. Hackers say they’ve already had access to CIPC’s systems since 2021 through a ‘Sword South Africa’ software flaw. However, what’s more concerning is that hackers are reportedly still within the system … they’re calling from inside the house!
After they were notified of the breach, the Information Regulator launched an own-initiative investigation. Naturally, the IR is worried about the alleged ongoing compromise and intends to investigate the adequacy of CIPC’s organisational and technical measures for safeguarding personal information – including whether CIPC’s business model facilitates the trading of personal information in its possession.
WHO IS AFFECTED BY THE BREACH?
The breach affects anyone who has shared personal information with the CIPC, including directors, shareholders, and companies. That’s a lot of people. Those affected could be exposed to identity theft, financial fraud, unauthorised transactions, operational disruptions, and reputational damage.
HOW WILL CIPC PREVENT A BREACH FROM HAPPENING AGAIN?
While the breach is still under investigation, CIPC, a bit like a cat on a hot tin roof, initiated a new customer verification process. CIPC also advised clients to monitor credit card transactions closely and only authorise known requests.
HOW CAN YOU PREVENT A BREACH FROM HAPPENING TO YOU?
Nine lives? I think not. To safeguard against future breaches, organisations and individuals must prioritise cybersecurity.
Here are a few measures you can implement:
- Use multi-factor authentication (MFA).
- Encrypt documents containing personal information before sharing it.
- Update antivirus programmes, software and passwords regularly.
- Maintain regular backups.
- Enforce access controls.
- Provide ongoing training to employees on cybersecurity and preventative measures.
- Create an incident response plan and provide training to staff on how to implement it.
THINK YOU’VE HAD A BREACH?
If you suspect a breach, you must comply with section 22 of the Protection of Personal Information Act, 4 of 2013. That means that you must complete FORM SCN1 on the Information Regulator’s website and follow the steps in the Guideline to notify the Information Regulator and the data subjects affected by the breach.
LEARN FROM OTHERS’ MISTAKES
Don’t get thrown to the lions. Implement proactive cybersecurity measures to keep personal information away from those hacking paws. If you discover or suspect a breach, deal with it immediately. Let us learn from this incident and take immediate action to protect the privacy of personal information in our own processing activities.
“Mistakes are a fact of life. It is the response to error that counts.” – Nikki Giovanni
Want to learn more? Get in touch!