In July of 2022, the Securities and Exchange Commission of Pakistan (SECP) experienced a data scrape which led to much of its data being accessed in an unauthorized manner. The episode got so little attention that even SECP had to be informed regarding what had actually taken place from an outsider.
The data that was scrapped was up for sale on the dark web and was a serious breach of trust that is placed by the people in SECP in handling of this sensitive data. But could something good come from what actually happened?. The data was used to set up a website under the domain name of corporatehouse.pk which published the name of auditors, directors and chief executive officers of the respective companies.
The site has now been taken down. Part of that was due to the fact that the site actually went as far as putting up listed personal addresses, phone numbers and other personal information which had nothing to do with the professional lives of these people. This should not have taken place. The question still remains whether such a website can add to the transparency of the markets and if there is a place for the SECP to manage a database for the betterment of the investors. Profit ponders this dilemma.
The need for information
SECP is the sole regulator overlooking the formation, registration of companies and the smooth operations of the capital markets. When a company registers itself, the benefit is that the company is able to trademark its name and function with the SECP. In return, the SECP asks the company for information relating to its directors, owner or Chief Executive Officer (CEO) and other particulars relating to the company.
Listed companies are mandated to publish all information to the market in the form of annual reports and announcements that are made through the system running in conjunction with the stock exchange. Many of the private companies are also required to provide data at regular intervals in order to keep their records updated with the regulator. Even though private companies and their data is not available to everyone, the SECP still makes sure that this data is recorded by the companies. The data scrape that took place was a violation as much of the data related to private companies was scrapped which is supposed to be protected.
The data scraping
Data scraping takes place when protected data is accessed in an unauthorized manner and an outsider is able to get information which is sensitive in nature. In the case of SECP, it was actually reported by Propakistan.pk back in July of 2022 after the data breach had occurred. The first signs of a data breach were seen and questions were sent by the representatives of the website seeking clarification.
The data scraping was carried out with ease as the SECP website had a weak digital link which was supposed to be tested against vulnerability and penetration testing which was due to take place in February of the year but that test was never carried out.
The article caught the attention of Zaki Khalid. Khalid is CEO and Intelligence Lead at Pantellica who saw the article and then tried to verify the claims that a breach had taken place. Khalid is one of the pioneers of Open Source Intelligence in the country.
When approached for this story, Khalid states that the episode was not a hacking but an unauthorized bulk scraping of content from the website which was made possible due to the vulnerabilities that existed. “[The scraping was] undertaken by an Indonesia-based company called EmerHub that sells corporate data to customers. The chief architect of this entire effort is an Estonian-origin businessman named Lauri Lahi. Programmers were hired in Pakistan and Indonesia to work on the data that had been scraped which should not have been placed on the online server in the first place.”
Once Khalid contacted the regulator, he was contacted privately and the representative assured him that action would be taken, however, a detailed complaint was filed through the Citizens’ Portal while an email sent to functionaries of SECP was never responded to. In essence, it was Khalid who brought the breach to the notice of SECP itself as even the regulator was not purview to what had taken place.
“Before closing my complaint in Citizen’s Portal, SECP listed the measures taken by them. The website remains down but the data exfiltrated from SECP remains very much in the possession of EmerHub and is very likely still be sold through its internal channels to various clients.” says Khalid.
Further adding that “I count myself among those executives who believe in transparency especially after the fiasco Pakistan faced with the FATF. First and foremost, transparency lies at the core of investor confidence. However, publicizing or exploiting personal information including CNIC number and residential address (as compared to a business address) is absolutely unnecessary and opens avenues to threaten the personal safety and security of a Director.”
Value for transparency
Once the data had been collected, Emerhub set up the website under the name of companieshouse.pk which disclosed the information regarding the CEO, directors and auditors of the private companies which is usually not known. The issue with the website wasn’t that it was disclosing something new. Even SECP allows for some of this data to be accessed once an individual applies for it and pays the relevant fees. The outcry was over the fact that personal information of the individuals was also accessible which no one should be allowed to see. It is an understood fact that the releasing of personal information is a breach of trust and should not be carried out.
But such an episode does raise new questions. Should people know about the key personnel of a private company and have access to their professional information?
Private companies are hidden behind a veil of secrecy as the information relating to its key personnel is not readily known. Companies carry out transactions with each other and sometimes have board members serving on them who are common between many companies. This creates linkages between companies and develops an understanding of the ownership and control structure within them.
Suppose a person sets up a private company named Tigers (Private) Limited and is involved in manufacturing of road building materials. He also sits on the board of a cement manufacturing company which is planning to build a road from their factory to a highway. Right now, if Tigers gets a contract from the listed company, no one would know that there is a conflict of interest where the director is diverting funds and projects to his own private company. However, having an online database can help establish that link and bring to notice what is taking place.
Similarly, there are related party transactions where companies related to each other, due to a common board, transact business with each other. As both companies are privately owned, there is little that can stop such a transaction from taking place. The board of directors needs to approve such transactions which mostly goes through. The compensation and payment of any provision of goods and services is not based on any competitive bidding process and not transparent.
Having access to key personnel information can allow for such a transaction to be scrutinized in detail. This process becomes even worse when it is considered that related party transactions are evaluated on a value transfer basis where money never changes hands. The valuation of such a transaction needs to be looked at in detail in order to make sure a fair transaction has taken place. If professional linkages and connections are not known, these transactions will not be scrutinized to the extent that they should be.
This can also impact listed companies where a private company can be given a lucrative contract at the expense of the listed company. The director who runs the private company can make the listed company pay an exorbitant price and make a large chunk of change while taking money away from the listed company who has shareholders who are investing the company. This would be a simple case of the private company benefitting while the shareholders of the listed company end up losing out. Having this information can also cut down on trade based money laundering and can help make the markets and companies more transparent to the investors while closing an information gap that currently exists.
The SECP can even run the database themselves and make sure that the data is protected from any future breaches and make sure that only professional information becomes part of the public domain.
When will you people talk about what happened at Swyft Logistics?
Well a good article.