Companies and Intellectual Property Commission website leaks sensitive information

The CIPC's (South Africa's Companies and Intellectual Property Commission) is one of those websites where I routinely have to reset my password. While going through the usual motions today, it occurred to me that the process allows personal data of registered users to leak out. Registered users can of course create new companies and change the details of (their) existing ones.

In order to get a password reset, you have to enter your CIPC username. The system then sends a web address to your e-mail and a one-time pin (OTP) to your mobile phone number. Somewhat surprisingly, both of these are displayed on the screen after you have entered your username, divulging the private contact details of users to anyone who knows the username.

Why is this a serious problem? Well, usernames can be easily constructed from the surnames and initials of registered users. For example, the usernames consist of a small number of letters and I was easily able to find quite a few by trial and error. Subsequently, I retrieved cellphone numbers and e-mail addresses (none of which I stored, of course) as in the accompanying image. Someone really determined to hijack a company by changing the identities of directors might start with this and continue to then obtain access to the e-mail and cellphone number of a user responsible for the details of a company they are targeting.

My knowledge of the relevant legislation is relatively limited but I can well imagine that the CIPC does not comply with applicable South African legislation on the protection of personal information. If a key organ of state struggles to comply with the edicts of parliament, how could the courts possibly expect ordinary citizens and companies to do so? As usual with vague legislation and sporadic enforcement (and with sharks and other predators) it is simply bad luck if you are caught, basically.