Site down – 5 “comfort letters in 5 months – Guidelines revision by June
In an almost farcical repetition of its information-technology woes, the COMESA Competition Commission’s web site (http://www.comesacompetition.org/) is off-line, yet again, after having been successfully hacked multiple times. Whether the latest outage is due to a similar attack or simply (and hopefully) due to its webmaster’s shoring up the competition enforcer’s IT security measures remains to be seen. (We have not yet heard back from the agency’s leadership on our request for information on the online data safety of parties’ submissions.)
In more substantive news, IFLR reports that the CCC has issued five so-called “Comfort Letters” since December 2013, exempting otherwise notifiable transactions from the duty to file (as well as the concomitant payment of the (high) filing fees), where the actual nexus to the COMESA region was negligible or non-existent. This may help explain some of the lackluster filing statistics on which we reported previously.
The report also quotes the CCC’s head of mergers, Mr. Willard Mwemba, as saying that the revision of the Competition Guidelines should be finalised by the end of June 2014.
For the third time in a month, the fledgling pan-African antitrust enforcer’s web site has been disabled by hackers
As competition-law attorneys counseling clients on the necessity of notifying mergers in the COMESA jurisdiction, we view these developments with – put mildly – shock. This is especially true as confidential party data and documents would appear to be at risk of involuntary and malicious disclosure to third, unauthorized parties. As reported at AfricanAntitrust.com, the COMESA enforcement agency’s web site has previously been hacked and later simply disabled.
COMESA leadership non-responsive
On both prior occasions, AAT’s editors wrote to the COMESA Competition Commission‘s webmaster, as well as the agency’s leadership (Messrs. George Lipimile and Willard Mwemba), to seek an explanation of the attacks. We also asked them about the safety of data and other confidential party information submitted to the CCC via its extranet & online document repository.
Not only have we not received any response to date. What’s more, in a – perhaps unsurprising, at this stage – turn of events, the Commission has now been subjected to its third hacking attack.
Hackers boast of achieving successful attack
This latest episode also embodies the most disconcerting hack, as it appears visually and substantively more malicious than the prior attacks (one of which featured an Indonesian love poem, whilst the second rendered the CCC’s page simply blank). A visual example of the latest attack can be found below. The hackers (identified as “Kinal Undetected” from SerdaduPerangCrew and SPCSO) [note: prior and subsequent links open hacker-related pages] acknowledge – for the first time – that it is an intentional event and not merely an accidental outage or otherwise unintended gaffe of the CCC’s webmaster. Moreover, the perpetrators even submitted a screenshot of the intrusion to “Zone H“, a clearing-house of hackers, as evidence of the attack on Monday. This means that the CCC’s site has been disabled for at least two full days (through 14 May — UPDATE: the regular COMESA site is back up and running at 16:00 CET, 14th May). On the prior occasions, the site likewise remained compromised for several days in a row.
Logo of the successful COMESA hackers displayed on CCC’s web site (May 12-13, 2014)
High risk of data security breach & next steps
We are in the process of sending yet another follow-up e-mail to the CCC’s executives to obtain further information about this unsettling and embarrassing security breach/failure, including: (1) risks to confidential corporate information, (2) the impact on the private deliberative process of the Commission, as well as (3) steps the CCC intends to take to prevent future replication of these embarrassing and dangerous attacks, including (we propose) the retention of a professional data-security firm for advice and potentially management of the web interface.
Call for parties to CCC proceedings to take action
Especially in light of COMESA staff’s unsettling silence in response to alerts to these attacks, and as we have done before, we are notifying our readership (and particularly current or potential future parties to CCC merger reviews) regarding the deficiencies in the competition enforcer’s electronic systems. These may impact the timetable and resulting deadlines of pending merger investigations, and it is advisable that all such interested parties enquire with the Competition Commission about the procedural effect of the outage.
The COMESA Competition Commission’s web site (http://www.comesacompetition.org/) has suffered yet another setback, only a month after AAT’s prior investigation into the apparent hacking of its online resources — it has been out of service as of 23-April-2014 (through at least the 25th), showing up as a mere white blank page.
Subordinate pages, such as the extranet page containing sensitive party information from ongoing investigations or merger reviews (http://www.comesacompetition.org/documents/private), are likewise blank.
As before, where we pointed out that the Commission’s hacking event constituted “evidence of a real risk that highly confidential party information (stemming from COMESA merger reviews or other competition investigations) may be vulnerable to accidental or intentional disclosure to unauthorized third parties,” we are alerting current or potential future parties to CCC merger reviews regarding the deficiencies in the competition enforcer’s electronic systems. These may impact the timetable and resulting deadlines of pending merger investigations, and we advise all such interested parties to enquire with the Competition Commission about the procedural effect of the outage.
Attack shows risk of unauthorized disclosure of confidential commercial party information
COMESA site hacked with Indonesian love poem
It would appear that the young pan-African antitrust enforcement agency’s web site has been hacked. The headline on the COMESA Competition Commission’s (“CCC”) home page today seems to indicate a relationship with a web site bearing the Indonesian TLD (top-level domain) “.ID”, and looks like gibberish at first glance.
Then, after some digging, AAT’s editors believed that it might in fact be a tribute or memorial of sorts to the missing crew and passengers of flight MH 370, given the Indonesian language of the text and the disappearance of the jetliner in the Viet-Indo-Malaysian region’s equivalent of the Bermuda Triangle. The relationship with COMESA escaped us, however. Yet, upon a final review of the Google Translate result, we can confirm that this is unfortunately not the case. Instead, it appears to be a (fairly amateurish) love poem (full text in GoogleTranslate’s English below).
With all this wind-up, here comes the real point in the story. We perceive this hacking event as evidence of a real risk that highly confidential party information (stemming from COMESA merger reviews or other competition investigations) may be vulnerable to accidental or intentional disclosure to unauthorized third parties. In the United States, the agencies’ unwarranted disclosure of confidential data took center stage in the 2007 aftermath of the $1/2 billion Whole Foods / Wild Oats merger, during which the FTC had accidentally submitted an insufficiently redacted PDF document to the electronic U.S. court filing system ECF, spilling the secret data guts of the case. The Washington Post reported on the story here — just as we are now alerting current or potential future parties to CCC merger reviews regarding the apparently deficient safeguards in the competition enforcer’s electronic systems. We advise all such interested parties to enquire with the Competition Commission precisely which steps are being taken to ensure the safety of their confidential submissions to the agency.
We also note that the CCC’s site has a very publicly visible page for access to “PRIVATE” documents, protected only by (it would seem) a most simple username/password combination. The site even allows for a cookie-based “Remember Me” function. The privacy risks here are manifold,as any e-security expert worth her salt can attest to: Should this “private” document repository contain confidential party information, and if the main home page of the agency has already been subject to a (successful) attack, it is no stretch to imagine that access may have equally been gained to the purportedly private document storage folder on the site.
AAT has contacted the CCC’s web master and leadership, Messrs. George Lipimile and Willard Mwemba, to inquire further about the details of this apparent safety breach. We will report on their response here once we have heard back from them.
Should readers have any other information on the goings-on at the CCC or its web site, we always appreciate hearing from you, either by way of e-mail or in the comments section to this article.
Full text of COMESA site as of 17. March 2014 (all day) – (update 18. March: the text is still up on the site at 16:40 GMT):
Andika curhatan Dot ID
This heart is sick when you kianati
This heart is fragile when you leave
But this heart grateful you have introduced the meaning of a broken heart
I can still smile while getting bad grades
I can still smile when dropped
But I would not be smiling if it can not meet you
You introduced me to a love
But you were also introduced me to breakup
I’ve never know a woman like you
I also have never loved a woman like you
And I’ve never felt hurt because of you
None other than the beautiful scenery seen
None other than the beautiful singing heard
And no one has to know you regret
This heart will smile with you when both
And this will be a pensive moment waiting to hear from you
African Antitrust & Competition Law 
