Attack shows risk of unauthorized disclosure of confidential commercial party information

It would appear that the young pan-African antitrust enforcement agency’s web site has been hacked.  The headline on the COMESA Competition Commission’s (“CCC”) home page today seems to indicate a relationship with a web site bearing the Indonesian TLD (top-level domain) “.ID”, and looks like gibberish at first glance.

Then, after some digging, AAT’s editors believed that it might in fact be a tribute or memorial of sorts to the missing crew and passengers of flight MH 370, given the Indonesian language of the text and the disappearance of the jetliner in the Viet-Indo-Malaysian region’s equivalent of the Bermuda Triangle.  The relationship with COMESA escaped us, however.  Yet, upon a final review of the Google Translate result, we can confirm that this is unfortunately not the case.  Instead, it appears to be a (fairly amateurish) love poem (full text in GoogleTranslate’s English below).

With all this wind-up, here comes the real point in the story.  We perceive this hacking event as evidence of a real risk that highly confidential party information (stemming from COMESA merger reviews or other competition investigations) may be vulnerable to accidental or intentional disclosure to unauthorized third parties.  In the United States, the agencies’ unwarranted disclosure of confidential data took center stage in the 2007 aftermath of the $1/2 billion Whole Foods / Wild Oats merger, during which the FTC had accidentally submitted an insufficiently redacted PDF document to the electronic U.S. court filing system ECF, spilling the secret data guts of the case. The Washington Post reported on the story here — just as we are now alerting current or potential future parties to CCC merger reviews regarding the apparently deficient safeguards in the competition enforcer’s electronic systems.  We advise all such interested parties to enquire with the Competition Commission precisely which steps are being taken to ensure the safety of their confidential submissions to the agency.

We also note that the CCC’s site has a very publicly visible page for access to “PRIVATE” documents, protected only by (it would seem) a most simple username/password combination.  The site even allows for a cookie-based “Remember Me” function.  The privacy risks here are manifold, as any e-security expert worth her salt can attest to: Should this “private” document repository contain confidential party information, and if the main home page of the agency has already been subject to a (successful) attack, it is no stretch to imagine that access may have equally been gained to the purportedly private document storage folder on the site.

AAT has contacted the CCC’s web master and leadership, Messrs. George Lipimile and Willard Mwemba, to inquire further about the details of this apparent safety breach.  We will report on their response here once we have heard back from them.

Should readers have any other information on the goings-on at the CCC or its web site, we always appreciate hearing from you, either by way of e-mail or in the comments section to this article.

Full text of COMESA site as of 17. March 2014 (all day) – (update 18. March: the text is still up on the site at 16:40 GMT):

Andika curhatan Dot ID

This heart is sick when you kianati
This heart is fragile when you leave
But this heart grateful you have introduced the meaning of a broken heart

I can still smile while getting bad grades
I can still smile when dropped
But I would not be smiling if it can not meet you

You introduced me to a love
But you were also introduced me to breakup

I’ve never know a woman like you
I also have never loved a woman like you
And I’ve never felt hurt because of you

None other than the beautiful scenery seen
None other than the beautiful singing heard
And no one has to know you regret

This heart will smile with you when both
And this will be a pensive moment waiting to hear from you