Dis-Chem ordered to fix security problems or face R10-million fine after data breach
The Information Regulator has served an enforcement notice on Dis-Chem Pharmacies after finding the company had not done enough to secure its customers’ private data.
This comes after Dis-Chem revealed that nearly 3.7 million of its clients’ records were compromised in a data breach last year.
It said people’s names, e-mail addresses, and cellphone numbers were potentially exposed.
Dis-Chem was cagey with the details at the time, only saying that a third-party service provider had been involved in an “incident”.
The Information Regulator revealed on Friday that the service provider was a company called Grapevine, and the “incident” was a simple brute force attack that occurred sometime in April.
“A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found,” the regulator explained.
“On 1 May 2022, Dis-Chem became aware of the security compromise, or data breach, through SMSes sent to some of its employees, and on 5 May 2022, Dis-Chem then notified the Regulator in writing of this security compromise.”
The official number of records potentially compromised has come down to around 3.6 million data subjects.
The breach happened in Dis-Chem’s e-Statement Service database, which Grapevine managed.
“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” the regulator confirmed.
In its assessment, the regulator found that Dis-Chem failed to:
- Identify the risk of using weak passwords and prevent the usage of such passwords.
- Put in place adequate measures to monitor and detect unlawful access to their environment.
- Enter into an operator agreement with Grapevine and ensure it had adequate security measures to secure personal information in its possession.
The Information Regulator said an operator agreement would have outlined reporting processes to Dis-Chem in case of a security compromise.
Accordingly, the regulator issued an enforcement notice on Dis-Chem with the following stipulations:
- Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA.
- Implement an adequate Incident Response Plan. Implement the Payment Card Industry Data Security Standards (PCIDSS) by maintaining a vulnerability management programme. Implement strong access control measures and maintain an Information Security Policy.
- Ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such agreements compel the operator(s) to establish and maintain the same or better security measures referred to in section 19 of POPIA.
- Develop, implement, monitor, and maintain a compliance framework in terms of Regulation 4(1)(a) of POPIA, which makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.
“Dis-Chem must provide a report to the Regulator on the implementation of the actions ordered in the Enforcement Notice within 31 days of the issuing and receipt,” the regulator stated.
“Should DisChem fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offence, on which the Regulator may impose an administrative fine of an amount not exceeding R10 million or be liable upon conviction to imprisonment or both.”
Pictured: Pansy Tlakula, Information Regulator chair
Loading ...