Five Things You Need to do After the CIPC Hack
On the 1st of March 2024, the CIPC admitted it had been hacked. The CIPC said in a statement that, “Our ICT technicians were alerted, due to extensive firewall and data protection systems in place at the CIPC, to a possible security compromise and as a result, certain CIPC systems were shut down immediately to mitigate any possible damage.”
While they referred to the incident as “an attempt” to hack their systems they also added, “Unfortunately, certain personal information of our clients and CIPC employees was unlawfully accessed and exposed.”
A few days later MyBroadband.co.za said they had been contacted by the hackers who allegedly proved they had access to the site since 2021 and the CIPC could be understating the damage done. Whether the claims made to MyBroadband are accurate or not, the possibility this hack has leaked private information from many or all of South Africa’s registered businesses and presumably given outside access to company registrations which potentially allows the hackers to make alterations to core business areas.
Together with a long-standing issue at SARS that periodically sees clients receiving an email or SMS stating, “unauthorised changes were made to your personal details on eFiling”, it is clear that South African businesses need to be aware of the risks of online attacks at key government organisations and more importantly, know what to do about them.
These are the main concerns:
Private information leaked
According to reports, the hackers may have gained access to the private credit card information used to make payments to the CIPC. MyBroadband quotes the alleged hackers as saying the CIPC was “processing and storing credit cards in the clear.” While most banks require access to an app as verification, the exposure of CVVs and expiry dates of cards is a risky proposition. When combined with other information stored on the site, such as the names, addresses and signatures of directors there is a real risk that company clients and contacts may be open to being scammed through fake profiles or other contacts generated by malicious third parties.
Access to Company registrations
If, as is alleged, hackers have gained unfettered access to the company registrations section and the login details for multiple clients, companies risk potential changes in their core information. Directors can be changed, addresses altered and critically, key documentation can be downloaded.
The latter is of great concern as these documents could allow a fraudster to open bank accounts in a company’s name. After that it becomes simple to contact clients saying that bank account details have changed, and even offer them the proof that they are speaking to legitimate company representatives. From there money could easily be siphoned into these phoney accounts and it may take weeks or even months to uncover.
What should you do?
With every company vulnerable it’s critical to take a number of steps immediately to mitigate the risk and potential damage.
- Check bank accounts and cardsMonitor your bank account and card transactions even more closely than before for any signs of suspicious activity. If any unusual activity does occur, report the incident to the bank immediately and consider cancelling any bank cards that may have been exposed on the CIPC website and ordering new ones.
- Warn your clients
You may want to consider adding a warning to emails and client correspondence that asks them to treat any notices supposedly from your business of changes to bank account or personal details with caution due to the CIPC hack and SARS login leaks. The warning should carry the caveat that should they receive any bank detail change correspondence they should check with you directly before making alterations to payments. - Change your usernames and passwords
Change all login details. Assume your current passwords have been compromised and check whether you have used them on other sites as well. Even if this is not the case, it’s wise to change all your important passwords periodically, particularly those for bank accounts or other financial institutions. - Warn your employees
Alert all employees that any emails, calls or other communication from banks, insurers or fraud divisions should be treated as suspect. Instruct your employees to authenticate communications directly with those departments immediately (using contact details they know to be genuine) rather than give away any information to an unverified person. This is good practice anyway in light of surging cyberfraud generally, but the CIPC hack makes it essential. - Remain vigilant
We as your accountants are happy to help advise you on how to monitor the credit bureaus and banks to track any illegal accounts, which may be opened in your name and discover suspicious changes in the invoicing and payments. A client who usually pays regularly suddenly stopping is now cause for an immediate follow-up.
Don’t stop being cautious. These sorts of hacks can often come back to haunt a company months after they happen. Assume you will need to be careful for at least a year as the hackers work their way through their haul and try to make the most of it.
Your Tax Deadlines for April 2024
- 05 April – Monthly Pay-As-You-Earn (PAYE) submissions and payments
- 25 April – VAT manual submissions and payments
- 29 April – Excise Duty payments
- 30 April – Value-Added Tax (VAT) electronic submissions and payments & CIT Provisional payments where applicable.
Donating to a PBO? Check SARS’ New Requirements (and PBOs Note Your New 31 May Deadline)
Many are dependent on donations and, to encourage the public’s generosity, a tax deduction for certain donations made by taxpayers is provided.
Qualifying PBOs (i.e. section 18A-approved organisations) may issue tax certificates – called section 18A receipts – to donors. This tax certificate – or section 18A receipt issued by a section 18A-approved organisation – entitles you or your company to a deduction from taxable income for bona fide donations in cash or of property.
While approved section 18A institutions were previously required to keep records of all section 18A receipts issued, the requirements have changed, affecting both PBOs and their private and corporate donors.
PBOs: New requirements, and a 31 May 2024 deadline
Previously, the information that had to be provided by a PBO for a valid section 18A certificate was limited to the details of the PBO; details of the date, amount or nature of the donation; confirmation of how the donation would be used; and the name and address of the donor.
Last year, SARS issued further requirements for more detailed information to be included on all section 18A certificates issued from 1 March 2023. This includes the nature of the donor; the donor’s identification or registration number; donor trading name (if different from the registered name); donor income tax reference number; donor contact number and e-mail address; and a unique receipt number.
In addition, this year – like other third parties such as the banks, medical schemes and fund administrators required by law to send data to SARS – all PBOs are now also required to submit bi-annual reports – called an IT3(d) – to SARS. The first deadline for PBOs in this respect is 31 May 2024.
From this date, approved section 18A tax exempt institutions must submit data on section 18A tax deductible receipts issued, which includes information on the S18A approved tax exempt institution, donation information and donor information for the 2023/2024 year of assessment (i.e. S18A receipts data from 01 March 2023 to 28 February 2024) by submission of IT3(d) data via efiling.
Professional assistance is essential
While it has always been best practice to check with your accountant first before making a donation and relying on the tax break, it is now more crucial than ever for companies and individuals to ensure that the PBO being supported, as well as the tax certificate – or section 18A receipt – issued to obtain a tax deduction, meet SARS’ new requirements. Also remember to check the limits: the amount of donations which may qualify for a tax deduction is limited to up to 10% of taxable income.
We can also help PBOs to ensure they can meet the new requirements and deadlines, to ensure compliance and that their donors can enjoy the tax breaks that will encourage generous giving.