CIPC records breached

[RonSwanson]

Credit card information doesn't even need to be stored as it can be tokenised.

And that is what appears to be the problem.

What are they charging money for a service that they ought to provide the citizenry?

 

[lord-of-war]

So will they also be fined and threatened with jail time like normal companies would be subjected to?

 

[j4ck455]

“Our ICT technicians were alerted, due to extensive firewall and data protection systems in place at the CIPC, to a possible security compromise and as a result, certain CIPC systems were shut down immediately to mitigate any possible damage,” the CIPC said.

The addition of the word extensive suggests that the CIPC is trying to convince everyone that they have something rare and unusual, sounds like BS to me.

“Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”

Accessed is one thing, exposed however suggests that the personal information is already being served up. Maybe just semantics.

The CIPC did not reveal any more information regarding the nature of the exposed data but urged its clients to be vigilant in monitoring credit card transactions and only authorise known and valid transaction requests.

That tells me that the CIPC was storing credit card data in plain text, most likely including the expiry dates, 3 digit codes, and anything else collected during the payment process.

 

[Swa]

Black Excellence!

Lekker Transformation, Cadre deployment, BEE and AA!

The four horsemen of the Ramapocalypse.

Nope. Directors' personal information is public. The dissemination of this info is fair use, there is a logical reason for it.

I disagree. The home address of the owner of a business or trademark should not be on a national database and there's a reason to keep such information secret. If someone wants to publish their business address on the web then that should be their own choice.

 

[RonSwanson]

The four horsemen of the Ramapocalypse.

Indeed.

I disagree. The home address of the owner of a business or trademark should not be on a national database and there's a reason to keep such information secret. If someone wants to publish their business address on the web then that should be their own choice.

It's the law, for good reason. A non-juristic person cannot exist, trade or contract without the existence of a traceable jusristic person.

 

[Swa]

Indeed.

It's the law, for good reason. A non-juristic person cannot exist, trade or contract without the existence of a traceable jusristic person.

View attachment 1669823

That says nothing about disseminating private information. The WORLD is moving towards complete privacy. ICANN is considering regulations where a domain names will not contain any private information even hiding the owner from public view. Previously this was a VA service.

 

[RonSwanson]

That says nothing about disseminating private information. The WORLD is moving towards complete privacy. ICANN is considering regulations where a domain name will not contain any private information even hiding the owner from public view. Previously this was a VA service.

Good luck taking a company to court then, when you cannot serve notice on its human representative.

 

[Swa]

Good luck taking a company to court then, when you cannot serve notice on its human representative.

I thought that's what HA was for?

 

[AchmatK]

That tells me that the CIPC was storing credit card data in plain text, most likely including the expiry dates, 3 digit codes, and anything else collected during the payment process.

This is probably a standard response. I doubt they have access to credit card information, let alone store it on their server.

Cipc uses a third party payment gateway not hosted by Cipc. Every card transaction gets redirected to this third party payment gateway.

 

[RonSwanson]

I thought that's what HA was for?

HA?

 

[Fulcrum29]

This is probably a standard response. I doubt they have access to credit card information, let alone store it on their server.

Cipc uses a third party payment gateway not hosted by Cipc. Every card transaction gets redirected to this third party payment gateway.

Did that change now? The last time I used the BizPortal it only redirected on 3D Secure Payer Authentication.

 

[Swa]

HA?

Home Affairs. HA is supposed to be the central repository in SA for every person in the country. I know you probably don't do this but when you move you are legally required to inform them. Only authorised persons with good reasons is supposed to have access to this information. But if HA does not have up to date info then neither does CIPC probably. They only capture it at the time of inception and then I see the records are incomplete in any case where people only list towns. So it's a useless database you are promoting here.

Back to your example only a clerk of the court is legally allowed to serve court papers in any case. Why they have an exception to the mandate of the PO's monopoly on delivering letters. So you're arguing for something that is not legal in the first place. Just because this is how it's done in SA does not mean it's correct or legal so you can't argue that point.

The point you're missing here is that this is not info that should be DISSEMINATED PUBLICLY and it's likely against POPIA. There's a good reason the world is moving to privacy and data protection as the wide availability of this info has only resulted in fraud, corruption, harassment and numerous other crimes. The people with valid legal reason for access to this info don't get it from these public sources in any case so your point is moot.

 

[Swa]

Did that change now? The last time I used the BizPortal it only redirected on 3D Secure Payer Authentication.

You're sure it wasn't just dynamically inserted by a third party? Even if not it doesn't mean the form is submitted to CIPC.

 

[RonSwanson]

Home Affairs. HA is supposed to be the central repository in SA for every person in the country. I know you probably don't do this but when you move you are legally required to inform them. Only authorised persons with good reasons is supposed to have access to this information. But if HA does not have up to date info then neither does CIPC probably. They only capture it at the time of inception and then I see the records are incomplete in any case where people only list towns. So it's a useless database you are promoting here.

Now you're introducing unnecessary information. Yes HA are useless but they (are supposed to) fulfil a different function, not keep track of directors of companies.
And your own point is moot, because it doesn't really matter who / what entity keeps record of the relationship between directors and companies, as long as it is done, the information maintained and made available for use by anyone who may need to access it.

Back to your example only a clerk of the court is legally allowed to serve court papers in any case. Why they have an exception to the mandate of the PO's monopoly on delivering letters. So you're arguing for something that is not legal in the first place. Just because this is how it's done in SA does not mean it's correct or legal so you can't argue that point.

Not true, a peace officer can serve court papers too, and SAPS members, and I'm pretty sure that it can also be done by individuals.
And I dunno why you are arguing this point, it also wasn't part of our original argument, got nothing to do with it.

The point you're missing here is that this is not info that should be DISSEMINATED PUBLICLY and it's likely against POPIA. There's a good reason the world is moving to privacy and data protection as the wide availability of this info has only resulted in fraud, corruption, harassment and numerous other crimes. The people with valid legal reason for access to this info don't get it from these public sources in any case so your point is moot.

Nope, I'm not missing any point. Directors have very specific statutory duties and obligations, and take on liabilities in their personal capacity. If that information wasn't available then there is no ways that they could be held to account. It's therefore clear that there is a need for this information, and the need is reasonable, it is in the interests of consumers and the citizenry at large.
Those that want to shirk their responsibilities would welcome what you are suggesting though, and in that case they should not be directors in anycase.

 

[Swa]

Now you're introducing unnecessary information. Yes HA are useless but they (are supposed to) fulfil a different function, not keep track of directors of companies.
And your own point is moot, because it doesn't really matter who / what entity keeps record of the relationship between directors and companies, as long as it is done, the information maintained and made available for use by anyone who may need to access it.

Wrong. HA is supposed to be legal authority that keeps track of every person in the country. Everything else is not within the legal framework. When a clerk needs to serve court papers to the director of a company they're not supposed to use the public CIPC portal but contact CIPC directly for the name of the director. Whether CIPC has the private information or not they are then supposed to contact HA for the address of this person. I know the information may not always be up to date but you CANNOT argue that we should ignore the laws. Two wrongs don't make a right and it's why this country is in the state it's in.

Not true, a peace officer can serve court papers too, and SAPS members, and I'm pretty sure that it can also be done by individuals.
And I dunno why you are arguing this point, it also wasn't part of our original argument, got nothing to do with it.

Again wrong. Only a clerk of the court is legally allowed to serve formal court notices. I'm not sure if SAPS members can count as clerks but private individuals are definitely not allowed to do so legally. I know in SA it's become a habit where a lawyer can serve a divorce notice to your spouse but legally it's not valid and they're breaking the law. You just don't want to argue this point because you're arguing for something that isn't within a legal framework and so does not have any justification.

Nope, I'm not missing any point. Directors have very specific statutory duties and obligations, and take on liabilities in their personal capacity. If that information wasn't available then there is no ways that they could be held to account. It's therefore clear that there is a need for this information, and the need is reasonable, it is in the interests of consumers and the citizenry at large.
Those that want to shirk their responsibilities would welcome what you are suggesting though, and in that case they should not be directors in anycase.

There is no need for this information to be DISSEMINATED PUBLICLY. You seem obtuse in understanding this point so it's pointless arguing with you.

 

[Fulcrum29]

You're sure it wasn't just dynamically inserted by a third party? Even if not it doesn't mean the form is submitted to CIPC.

It is best that the CIPC themselves are asked which parties are collecting that data and how it is shared and processed. I am unable to check the implementation and hooks/calls now.

Just by quoting their own terms:

18.Credit/ Debit Cards method for PAY-AS-YOU-GO Model​

(1) Where payment is made by credit card, CIPC may require additional information in order to authorise and/or verify the validity of payment. Customers warrant that they are fully authorised to use the credit card supplied for purposes of paying for services. Customers also warrant that the credit card has sufficient funds to cover all the costs incurred as a result of the services used on any of the CIPC channels.

(2) CIPC only accept Visa and Master credit cards. American Express and Diners Club cards have been excluded as payment methods.

(3) All debit cards will are accepted. Please note that in order to make the payment for services by debit card, you have to be linked to an internet banking system.

(4) Any challenges with the online payment must be referred to the support service of your bank.

(5) Any dispute concerning the funds withdrawal or crediting of funds to your bank card must first be referred to CIPC before a credit card is chargeback by your bank.

(6) Only 3D Secure/Secure Code technology enable cards will be accepted. If your bank has no appropriate certificate to use this technology, your payment via the payment system will not be processed.

19.Security Policy for “Pay-as-you-go” Model​

(1) Payment by credit or debit card is made through the website of the electronic payment system. Security of payments through payment portal is ensured by Secure Sockets Layer protocol (SSL) used for confidential information transmission from a customer to the payment portal server for further processing. Further transmission of information is carried out via the closed banking networks which are practically impossible to penetrate.

(2) The processing of confidential customer information (credit card numbers, cardholder, expiration date etc.) is done in the processing center of the bank that is contracted to provide services to CIPC. Thus, nobody, not even a seller, can receive the customer's personal and credit card data, including information on his/her purchases.

(3) The safety of the payment procedure is ensured by traffic encryption (SSL).

Features of payment via Visa Electron and Master cards:

(4) Customers must make sure that card has a CVV2 (CVC2) code, located on the back of your card.

(5) All transactions are encrypted using appropriate encryption technology.

I can't remember who their provider is, but in the past the user had to input the payment data on the CIPC website and was then redirected to 3D Secure to authenticate the payment. Does the CIPC website capture and transmit that data, yes, but do they retain that data?

They have a standard clause on how your data may be used:

(9) We may share your information (as described above) with our business partners to provide you with products or services that you have requested or to provide you with promotional offers that we believe will be of interest to you. Our business partners include all of our affiliated companies as well as other selected businesses with which we have a relationship and which have agreed to adhere to our strict standards for providing quality products and services, responding to your needs, and protecting customer information. We may also employ other companies and individuals to perform functions on our behalf. Examples include fulfilling orders, delivering packages, sending postal mail and email, removing repetitive information from customer lists, analysing data, providing marketing assistance (including direct and targeted marketing), processing credit card payments, and providing customer service. They have access to personal information needed to perform their functions, but cannot use it for other purposes.

It is up to them to provide clarity. Say this data is out in the wild, not all ecommerce requires 3D Secure.

 

[RonSwanson]

Wrong. HA is supposed to be legal authority that keeps track of every person in the country. Everything else is not within the legal framework. When a clerk needs to serve court papers to the director of a company they're not supposed to use the public CIPC portal but contact CIPC directly for the name of the director. Whether CIPC has the private information or not they are then supposed to contact HA for the address of this person. I know the information may not always be up to date but you CANNOT argue that we should ignore the laws. Two wrongs don't make a right and it's why this country is in the state it's in.


Again wrong. Only a clerk of the court is legally allowed to serve formal court notices. I'm not sure if SAPS members can count as clerks but private individuals are definitely not allowed to do so legally. I know in SA it's become a habit where a lawyer can serve a divorce notice to your spouse but legally it's not valid and they're breaking the law. You just don't want to argue this point because you're arguing for something that isn't within a legal framework and so does not have any justification.


There is no need for this information to be DISSEMINATED PUBLICLY. You seem obtuse in understanding this point so it's pointless arguing with you.

Ai toggie...
You are really talking a load of hogwash. The next time the sheriff pays you a visit to serve summons or write up your household assets, you can tell him that what he is doing illegal

At least we agree, no sense in continuing this argument.

 

[tridev]

CIPC is corrupt like any other gov department. Laid a complaint with them against a company violating the companies act and they rejected my complaint. When I asked how is it possible , they said they sent me the rejection form but they didnt reject it. They said they will ask the company to change their name. Non sensical answer. Followed up as if they would do something and they ignored me. They just lied to me to get me off their back. They just allow the company to operate with a name not allowed by the companies act. Probably got nice bribe as payment.

Only way to get them to do their job is to sue them .

 

[Swa]

Ai toggie...
You are really talking a load of hogwash. The next time the sheriff pays you a visit to serve summons or write up your household assets, you can tell him that what he is doing illegal

At least we agree, no sense in continuing this argument.

Ai toggie, it's clear you don't know the subject you're talking about here. Btw, the sheriff is a clerk and servant of the court.

 

[RonSwanson]

Ai toggie, it's clear you don't know the subject you're talking about here. Btw, the sheriff is a clerk and servant of the court.

Well that's it, I clearly won't be missing anything by putting you on ignore.