Pharmacy and retailer Dis-Chem has been ordered by the industry’s regulator to take remedial action or risk a fine of as much as R10m after a data breach at the company more than a year ago.
The personal data of as many as 3.6-million Dis-Chem customers was compromised in the incident, according to the Information Regulator of SA.
The affected records in the database, which is managed by the third-party company Grapevine, were limited to names and surnames, email addresses, and mobile phone numbers.
The regulator said Dis-Chem failed to notify customers of the incident, falling foul of section 22 of the Protection of Personal Information Act (Popia).
However, the company has dismissed the charge, saying a formal notice was published on its website and a media statement was released nationally after the incident in May 2022.
In a statement on Friday, the regulator said its investigation had found that Dis-Chem failed to identify the risk of using weak passwords and prevent the usage of such passwords.
It also “failed” to put in place adequate measures to monitor and detect unlawful access to their environment.
Grapevine suffered a so-called brute force attack, where an unscrupulous party cracks a password by continuously trying different character combinations until the correct password is found.
As the remedial action, Dis-Chem has been ordered to conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of Popia.
According to enforcement notice, the company has to ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such contracts compel the operator(s) to establish and maintain same or better security measures.
However, Dis-Chem said it has already responded to and acted on all orders contained in the enforcement notice and will report to the regulator within 31 days, as requested.
The company stressed that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial or banking information.
“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required Popi guidelines to ensure that customers were immediately made aware of the breach,” it said in a statement.
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.