Shoprite’s “possible data compromise” nothing else but data breach — legal expert

Shoprite Group’s “suspected data compromise” affecting some Money Transfer customers is a data breach by another name, says privacy and technology legal expert Jos Floor.

The company announced last week that the compromise might have impacted specific customers who transferred money outside South Africa.

It affected a subset of customers who performed money transfers to and within Eswatini, and within Namibia and Zambia, Shoprite disclosed.

Shoprite said an unauthorised party accessed the data. However, it is unclear whether that person downloaded the data or what their intentions might be.

“Affected customers will receive an SMS to the cell number supplied at the time of the transaction,” Shoprite stated.

“An investigation was immediately launched with forensic experts and other data security professionals to establish the origin, nature, and scope of this incident.”

Shoprite said it implemented additional security measures to protect against further data loss by changing authentication processes, and fraud prevention and detection strategies to protect customer data.

“Access to affected areas of the network has also been locked down,” the company assured.

“The data compromise included names and ID numbers, but no financial information or bank account numbers.”

Shoprite said it had notified the Information Regulator.

“Investigations are ongoing. The Group is not aware of any misuse or publication of customer data that may have been acquired, however, web monitoring relating to the incident continues.”

Floor explained that the Protection of Personal Information (POPI) Act requires Shoprite to publish the notice announcing the breach.

“Failing to do so could draw a harsher response from the authorities,” he told MyBroadband.

Floor also explained that POPI considers Shoprite a responsible party that must implement security measures to prevent unlawful access to personal information.

“This incident now raises the question of whether their measures were indeed adequate,” he said.

“It does not make a difference how the access occurred, whether through hacking or if the information was left out in the cold, it remains a data breach.”

He said it would be interesting to follow how the Information Regulator deals with the case.

“The Information Regulator can decide on its own initiative to investigate the incident,” Floor stated.

“If someone lodges a complaint about the incident, the Information Regulator is obliged to start the investigation process.”

One possible outcome could be that the regulator issues Shoprite with an enforcement notice to rectify any shortcomings.

If they don’t comply with the enforcement notice, the company could be fined up to R10 million.

“The combination of names and ID numbers is significant. These two data fields are often used in multi-factor identification and provide ideal starting point for hackers,” Floor said.

Another issue with South African ID numbers is that they reveal a lot of personal information about you.

Floor said that any responsibly-resourced person could determine your birthday, gender, and citizenship status from your ID numbers.

“Combine that with a name, and it can get you into a lot of places,” he said.

Shoprite declined to answer MyBroadband’s questions about the compromise and pointed us to its statement issued on Friday.

Now read: South African DigiTech “app store” uses R925 website template