Cybersecurity specialist NEC XON has advised Companies and Intellectual Property Commission (CIPC) customers whose data may have been compromised in last week’s breach of the organisation’s systems to change all their passwords and ensure that multi-factor authentication is enabled for their online services.

This follows NEC XON’s discovery on Wednesday morning that more than 140 credentials from the CIPC breach were for sale on the “dark web”.

“Some of the credentails are for health insurance providers and online banking systems – and the credentials actually work,” said Armand Kruger, head of cybersecurity at NEC XON, in an interview with TechCentral.

According to a statement on the CIPC website, records holding confidential customer data were compromised after an attack on its systems last week.

“Our ICT technicians were alerted to a possible security compromise and, as a result, certain CIPC systems were shut down immediately to mitigate any possible damage,” it said. “Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”

The warning by NEC XON applies particularly to those who use the same credentials for their CIPC account as they do for accessing any other digital services platforms, such as logging into insurance portals or their online banking facilities.

Known as “credential stuffing”, this is when hackers gain access to a set of login credentials from one website, and then “stuff” those credentials into other websites until they find matches. This is why using the same password more than once is seen as a huge security risk, said Kruger.

Growing list

The CIPC is the latest in a growing list of government agencies and state-owned enterprises in South Africa to fall victim to cyberattacks, bringing the state’s ability to protect citizen data into question. Last month, an attempted breach at the Government Employees Pension Fund caused the pension fund administrator to shut down its customer-facing services as it attempted to isolate and curtail the attack.

“The data the government holds controls the country and manages the data confidentiality of the entire population. Breaches of public institutions erode citizen trust and threaten financial stability and economic sustainability,” said Kruger.

The frequency of attacks on public institutions is a cause for concern, and although government may have its own particular weaknesses, the problem is neither unique to the public sector nor limited to South Africa’s territory.

Read: Justice department takes Info Regulator to court over R5-million fine

“The state and many other entities globally are being forced to transform digitally. Everyone now has to use technology which is not something they were born to do,” said Jayson O’Reilly, MD at CYBER1 Solutions, a systems integrator specialising in cybersecurity.

“Organisations must now understand their threat surface level and figure out how they could be attacked. It’s not a state institution problem; it’s a problem of how organisations look at defending themselves against cyberattacks.”

Through CYBER1’s engagement with a number of government entities, O’Reilly has observed that certain departments are stifled in their ability to develop sound cybersecurity strategies because they, like many other organisations, fall victim to the fearmongering spread by various entities who may or may not have something to gain from the resulting confusion.

As a result, there is a mismatch between the amount that government spends on cybersecurity and how effective these discrete solutions are at protecting citizen data from attackers looking to exploit weaknesses in its systems. To overcome this misalignment, said Kruger, procurement discussions need to move away from a product or vendor paradigm to a more strategic outlook that will help government executives make decisions on security spending based on a realistic understanding of how cybercriminals think.

“The vendor community says that if you buy more technology you will be safer, but that adds more convolution and complexity,” said O’Reilly.

Another problem stifling government’s ability to develop an effective cybersecurity strategy is the fragmentation among different entities. O’Reilly explained that there is a big silo disconnect in government while third-party vendors are trusted when they could be vulnerable themselves. Government must adopt a “zero-trust approach” to overcome these weaknesses, he said. In a zero-trust architecture, no users or devices are trusted by default and any entity trying to access any part of the system must be verified at each access point.

But both cybersecurity experts TechCentral spoke to (Kruger and O’Reilly) note that there are also positives stemming from the attacks on government infrastructure: they should lead to improvements in how well citizen data is protected in future.

Information Regulator

The first benefit is a better understanding of where the deficiencies are in state systems, which will guide spending and attention in a more effective way. Related to that is a better understanding of how cybercriminals view government systems and where they are more likely to attack.

The Information Regulator conducts compliance assessments on public and private bodies to ensure they have adequate security safeguards to protect user data. In July 2023, the regulator fined the justice department R5-million for failure to comply with an enforcement notice that imposed remedial actions on the department following a September 2021 data breach.

Read: State pension fund administrator staves off cyberattack

According to section 22 of the Protection of Personal Information Act (Popia), institutions must report any data breaches to the regulator in the form of an official notice.

The CIPC sent a notice to the Information Regulator last week in terms of Popia. The regulator told TechCentral on Wednesday that it is in the process of sourcing more information from the CIPC regarding the data breach, but it is concerned about the overall increase in the rate of cyberattacks.

“We have received 224 security compromise notifications from January 2024 to date, of which four were from public institutions including the CIPC,” a spokeswoman for the regulator said.

O’Reilly praised the Information Regulator’s hardline approach to entities that are lacklustre in their response to data breaches, whether they be in the public or private sector. The regulatory pressure, he believes, is pushing organisations to do a better job of shoring up their defences.

Even so, with new forms of attack being conjured by cybercriminals all the time – now with the added help of artificial intelligence – the duty of protecting user data will get increasingly more difficult.