The CIPC hack has potentially serious consequences for South African organisations

A lack of visibility into the extent of the hack and the information compromised puts companies at risk of fraud.

The South African Companies and Intellectual Property Commission (CIPC) holds the registration details of companies, co-operatives and intellectual property rights within a vast database that comprises ID numbers, addresses, contact information and more. It has also recently been compromised in a hack that has left millions of companies vulnerable. As Richard Frost, Head of Consulting at Armata points out, the lack of visibility into the type of information stolen is a very real concern as some of the data should not be in the public domain, much less in the hands of hackers.

“The CIPC site does allow for organisations and individuals to verify a company using basic information such as the registration number, but the moment you get real information about Directors such as their ID and where they live, there is ample opportunity for fraud and identity theft,” he explains. “For example, using a company’s registration and Director information, criminals can place an order for laptops with fake banking information and a fake address. The firm providing those laptops will then chase the company for payment of an order it didn’t make. Then the company is liable for the costs, not the threat actor.”

In addition to impersonating a Director, fraudsters can use the information to email customers of legitimate organisations and claim the company has changed its bank account information. They can provide customers and suppliers with CIPC data that verifies who they are and essentially siphon funds away from the business. Customers will insist they’ve paid, but the funds have actually gone to a fraudulent account.

As the extent of the hack emerges, companies need to remain on the alert for at least six to 12 months – this type of attack has a long tail and organisations need to protect themselves through constant vigilance. The risk is that many companies won’t realise they’ve been targeted until an incident is flagged. This can then cost them significantly in terms of reputational damage, financial loss and even customers.

“Companies, whether they are large enterprises or solopreneurs, need to stay close to TransUnion and Experian right now,” says Frost. “You need to see who is opening up accounts in your name. For larger organisations, it’s worth taking a leaf out of the financial institution playbook and creating digitally stamped documents to prove that any request or purchase is coming from a legitimate company. Most importantly, though, for companies of all sizes, is to stay close to the credit bureaus so you can quickly catch any unusual activity.”

To mitigate potential customer fallout, companies should contact their customers and highlight the risks, asking them to be aware of any changes in day-to-day interactions and confirm in person if any requested changes are genuine.

“Every single company in South Africa needs to send out an email to customers highlighting the potential risks and giving them insight into how they can prevent them,” concludes Frost. “In addition, individuals need to be aware of fake calls and scams – if a caller says they’re from a fraud division, instead of paying or providing personal information, suggest calling them back first. The CIPC hack essentially asks that companies and individuals increase their vigilance across all platforms so they don’t fall victim to crime.”

For many companies and individuals, a successful hack or case of fraud can leave them financially destitute and there are limited legal and governmental protections in place. While this landscape is changing, the best step forward is to be on the constant alert to avoid the need to take the CIPC on a long, drawn-out court case or rebuild your business from scratch.