NASSAU, BAHAMAS — An international information activist group called Distributed Denial of Secrets (DDoS) unlawfully hacked into The Bahamas’ corporate registry server in January, confirmed the Office of the Attorney General yesterday.
The revelation comes over a week after the group published data from the registry on its website in a free online searchable database.
On May 22, popular German news magazine Der Spiegel published an article on the leak – revealing that the DDoS team had shared a large database from the registry with the publication four months ago.
“Der Spiegel, in cooperation with the investigative journalism network European Investigative Collaborations (EIC) and the Henri Nannen School of Journalism in Hamburg, has reviewed around 1 million documents in total,” the article noted.
“The results of that search make it clear why the island nation continually resists international pressure to establish transparency. And why the country’s efforts no longer go far enough to protect its clients and their letterbox companies today.”
DDoS was launched in December last year – with journalists Emma Best and Lorax B. Horne (who are based in North America) identified as principal activists in the group.
The data was released as part of the group’s “Project X-Ray” which is a crowdsourced effort to “identify the owners of offshore corporations who are contributing to global inequality”.
In a statement on the breach, the attorney general noted that the data leaked is required by law to be maintained in the Companies Registry and is readily available to the public, upon payment of a search fee.
“We regret to confirm that sometime during the month of January 2020, criminal elements associated with a group called Distributed Denial of Secrets unlawfully hacked into the AS400 Server housing the Registrar-General’s filings information – which is thereafter transferred to the e-Services Business Registration system – and stole the information therein housed,” the statement said.
“The said information has recently been published and widely distributed.
“These acts are breaches of the Data Protection Act and the Penal Code.”
The statement further advised that a thorough police investigation is also currently underway, along with a review of all digital security systems.
“Based on the findings, all necessary action will be taken to ensure that we maintain the requisite data protection, as we understand the importance of this to upholding Bahamian Law, to the business community and to the general public,” it added.
“The Office of the Registrar-General, under the guidance of DTAD, was already in the midst of upgrading to a new server, with improved security features. This process is now being accelerated.”
Despite the breach, the statement noted that the secured and separate database storing beneficial ownership data required to be electronically filed, under the Register of Beneficial Ownership Act, was not affected by the hacking exercise; nor was it in any way compromised.
“The Bahamas remains committed to the transparency of its corporate registry.”
In 2016, The Bahamas’ corporate registry saw a similar breach, when a cache of 1.3 million files was published, providing names of directors and some owners of more than 175,000 Bahamian companies, trusts and foundations registered between 1990 and early 2016.
The information was released by the International Consortium of Investigative Journalists (ICIJ) in the form of an online database.
In a statement last night, Progressive Liberal Party (PLP) Deputy Leader Chester Cooper expressed grave concern over the matter.
Cooper noted that the issue is the lack of security that enabled the database to be hacked.
He called on the attorney general to indicate whether the existing system has been tested for vulnerabilities and whether appropriate investment is being made for relevant system upgrades.
“We welcome the news that this hacking is the subject of an ongoing investigation and eagerly await its outcome and recommendations,” Cooper added.
“We hope that this investigation will be rapidly completed and made public, unlike other promised investigations about which the public has heard nothing further.”