AZ Corporation Commission's Completely Inadequate Response to My Critique on their Site Security
A while back I wrote about my concerns about the total absence of any security at all in the Arizona corporate annual reporting system
I started the annual reporting process by just typing in the name of my company and getting started. There was no password protection, no identity check. They had no way of knowing I had anything to do with this corporation and yet I was answering questions like "have you been convicted for fraud." The potential for mischief is enormous. One would have to get the timing right (an annual report must be due before one can get in) but one could easily open the site on January 1 and start entering false information in the registrations for such corporations as Exxon and Wal-Mart.
See for yourself. .
I showed how one could open and file the report for a company like Wal-Mart, changing all their officers names, and confessing to all sorts of imagined corporate crimes
Again, note what I am saying. This is not the result of hacking. This is not lax security I figured out how to evade. This is the result of no security whatsoever. I simply went to the link above, clicked on the Wal-Mart Associates link, and then clicked on the annual report link. I know from doing my own registration that there is a signature page at the end, but all you do is type in the name of an officer and a title -- data that is right there on the site. It's like asking you for a password after the site just listed all the valid passwords.
The head of the Arizona Corporation Commission wrote me back. Here is here email in its entirety:
Dear Mr. Meyer:
Thank you for your email regarding the Corporations Division. The Arizona Corporation Commission is the repository for all business formation documents for corporations and limited liability corporations. We are in full compliance with state statutes.
Submitting false documents to alter another’s corporate structure or status is a crime and carries a Class 4 or Class 5 penalty. The Commission or the aggrieved business entity may refer the false filing to the Attorney General’s office for prosecution. Additionally, the individual business entity may pursue a civil cause of action. The Commission only accepts on-line charges for a few services such as name reservation or to order a certificate of good standing, and the online payment process is completely secure.
Even though the Commission’s existing security measures comply with the state law and are similar to most other states and other Arizona governmental entities like the County Treasurer’s Office, the Commission is looking at implementing new technology to allow for the online submission of additional services – such as the filing of original Articles of Organization and Articles of Incorporation. We do intend to provide password protected security features when that new technology is offered to the public.
J. Jerich
Executive Director
Arizona Corporation Commission
I had no doubt that submitting a false annual report for Wal-Mart would be illegal. Duh. However, it is just incredibly naive that this is the sole extent of the Commission's security, to prosecute people once the damage is done. Can you imagine if Amazon had the same security policy - "we are getting rid of passwords because it would be illegal for you to buy something from someone else's account." I wonder if the commissioners leave their doors unlocked at night, trusting in the threat of future prosecution to deter burglary and mayhem in their homes?
