South Africa’s companies database shuts down all core IT systems after data breach

The Companies and Intellectual Property Commission (CIPC) has shut down all of its core IT systems to perform “urgent system maintenance”, it said in a notice on Wednesday.

According to the notice, the maintenance will span 17 hours — from 14:00 on 6 March to 07:00 on 7 March 2024.

The BizPortal and CIPC websites were offline at the time of publication, and its call centre and self-help service centres in Cape Town, Johannesburg, and Pretoria will also be closed until 08:00 on Thursday.

The urgent maintenance comes after the CIPC notified users of a data breach last week, saying that its security systems detected the intrusion, allowing technicians to shut down its systems and mitigate any possible damage.

Shortly after its announcement, the hackers who claimed responsibility for the attack contacted MyBroadband and accused the CIPC of covering up the data breach’s severity.

As proof they were who they claimed, the hackers provided private information from the CIPC database MyBroadband would recognise.

They also pointed to a post on Pastebin as proof of their claim. The data sample contained several people’s full names, ID numbers, physical addresses, phone numbers, email addresses, and CIPC passwords.

The post is dated 2021.

According to the hackers, they had breached the CIPC’s systems in 2021 and infected it with ransomware.

When they weren’t paid and they found their access cut off, the group moved on and didn’t think much of it.

However, nearly three years later, they found they could still get into the CIPC’s systems using the same vulnerability they had exploited before.

Not only that, but this time, the attackers found unencrypted credit card information while probing the CIPC’s systems.

“They tried to cover their tracks when we pointed out the basic security holes. They are reckless with sensitive info,” the anonymous group said.

“This incompetence extended to them processing and storing credit cards in the clear.”

The group also showed MyBroadband that it was possible to access someone’s CIPC user account without knowing their password.

After breaking into the CIPC’s systems a second time, the group said they demanded a $100,000 (R1.9 million) payment in exchange for deleting the data they had exfiltrated.

“We still have a level of access despite their efforts to remove us,” they said.

The CIPC previously declined to comment on the allegations, saying that answering MyBroadband’s questions could expose it to further security risks.

“We are currently handling this matter with the relevant law enforcement agencies,” CIPC chief strategy executive Lungile Dukwana said.

MyBroadband contacted the CIPC again to ask whether the outage was related to the data breach. It had not responded by publication.