Pepkor-owned JD Group has confirmed that it suffered a data breach that exposed the personal information of over half a million of its customers.
On Wednesday, 31 May 2023, the retail company published notices on the websites of all its stores from its Group CEO, Peter Griffiths, informing customers of the breach.
The stores impacted are Bradlows, Everyshop, HiFi Corp, Incredible (Connection), Rochester, Russells, and Sleepmasters.
Griffiths said the “Date Security Incident” notification was being posted in terms of section 22(b) of the Protection of Personal Information Act 4 of 2013.
This legislation requires companies to notify any data subjects, including customers, if they become aware that a party gained unauthorised access to their information.
“A breach has taken place, and personal information, such as names, contact details, and ID numbers, have been exposed,” Griffiths stated.
The CEO said the company had taken “immediate action” to investigate and mitigate the impact of the breach.
“The entire extent of the incident has already been assessed, and our dedicated team has been working on identifying affected data subjects and providing prompt communication,” said Griffiths.
“We will also cooperate with regulatory authorities and implement enhanced security measures to mitigate such incidents in the future.”
Griffiths added that no banking or financial data had been compromised.
JD Group’s notice comes a few days after a user calling themselves “Chucky” posted what they claimed to be the records of 500,000 JD Group and 67,000 Everyshop customers on a pubicly-accessible hacker forum on Saturday, 27 May 2023.
A MyBroadband reader notified us about a tweet from @FalconFeedsio highlighting the Everyshop leak, after which we also discovered the post featuring the JD Group breach.
The databases are text files in the comma-separated format (.csv). They included column titles such as ID, names, emails, phone numbers, delivery addresses, billing addresses, dates of birth, gender, and even VAT numbers.
The leaker attached samples in each post that included some names and surnames, email addresses, home addresses, ID numbers, and, in some cases, phone numbers.
Many of the names and surnames seem to be typically South African, the ID numbers and phone numbers matched South Africa’s formats, and the addresses appeared to point to real locations in South Africa.
In addition to the above, the records also included the dates on which the users created their accounts and with which particular store they were held.
We informed JD Group about the apparent data breach and reported on it shortly thereafter.
The company has now confirmed that it was indeed the victim of a data breach and that the leaked information wasn’t somehow faked.
Nowadays, attackers that steal data often try to extort money from the victim company in exchange for the promise that they won’t leak it.
However, in this instance, downloading both databases required 18 forum credits — worth around $3.60 (R70).
While Griffiths said the incident had been contained, the database was still available to download from the hacker forum at the time of publication.
He recommended that customers who suspect their personal information might have been comprised in the breach take the following precautionary steps:
- Monitor transactional activity and report any suspicious activity.
- Change passwords often and ensure there is complexity in the configuration (e.g. with the use of special characters).
- Be vigilant for phishing attempts: Be cautious of unsolicited emails, messages, or phone calls asking for personal information or financial details. Legitimate organisations will not request this information via insecure channels.
- Follow official announcements from JD Group and regulatory authorities for further instructions and guidance.
- Do not click on any suspicious links.
- Only provide personal information when there is a legitimate reason to do so.