{"id":651452,"date":"2026-06-04T07:00:00","date_gmt":"2026-06-04T05:00:00","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=651452"},"modified":"2026-06-04T13:57:58","modified_gmt":"2026-06-04T11:57:58","slug":"takealot-employee-blunder-leads-to-two-week-long-leak-of-confidential-documents","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/651452-takealot-employee-blunder-leads-to-two-week-long-leak-of-confidential-documents.html","title":{"rendered":"Takealot Fulfilment Solutions employee blunder leads to two-week long leak of confidential documents"},"content":{"rendered":"\n<p>Employees of Takealot Fulfilment Solutions (TFS), the business-to-business fulfilment service of Takealot, accidentally exposed the personal data of delivery drivers and jobseekers.<\/p>\n\n\n\n<p>An individual with no relation to Takealot was copied into email chains where the company sent him private details of drivers and internal documentation for over two weeks.<\/p>\n\n\n\n<p>The individual, who would like to remain anonymous, reached out to MyBroadband seeking help, as their repeated requests for TFS to stop sending emails went unanswered.<\/p>\n\n\n\n<p>They requested anonymity as they were concerned they could be drawn into a broader investigation over Protection of Personal Information Act (POPIA) violations.<\/p>\n\n\n\n<p>&#8220;I do not work for Takealot, and I never have. I have been receiving these emails for the better part of 2 weeks now. Kindly remove me from this mailing list,&#8221; they said in one attempt to alert the company.<\/p>\n\n\n\n<p>They said they regularly received certified copies of South African and foreign national IDs, drivers&#8217; licences, work permits, and temporary visa applications.<\/p>\n\n\n\n<p>They were also CC&#8217;d on receiving internal TFS documentation related to its drivers, including details on job interviews, hiring tallies and new driver numbers.<\/p>\n\n\n\n<p>The source showed MyBroadband emails they received from TFS, internal files and images they were sent that contained personal information, and attempts to be removed from the email chain.<\/p>\n\n\n\n<p>&#8220;I am a private individual with no ties to Takealot, yet my personal email address is receiving internal Takealot Fulfilment Solutions driver verification workflows,&#8221; they said.<\/p>\n\n\n\n<p>MyBroadband reached out to Takealot and TFS to ask whether they were aware of the data leak and why they did not see or respond to the individual&#8217;s requests to be removed from the emails.<\/p>\n\n\n\n<p>Merlin Norman, TFS marketing head, told MyBroadband that it immediately launched an investigation into the matter to discover why it occurred in the first place.<\/p>\n\n\n\n<p>&#8220;Upon becoming aware of the error, TFS immediately escalated the matter and initiated an investigation,&#8221; said Norman.<\/p>\n\n\n\n<p>&#8220;The investigation found that the incident resulted from human error during the processing of driver verification-related support tickets.&#8221;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Consequences for entities found to have shared private information via email errors<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1200\" height=\"675\" src=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted-1200x675.jpg\" alt=\"\" class=\"wp-image-651949\" srcset=\"https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted-1200x675.jpg 1200w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted-600x338.jpg 600w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted-768x432.jpg 768w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted-1536x864.jpg 1536w, https:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2026\/06\/Takealot-Fulfilment-Solutions-Redacted.jpg 1600w\" sizes=\"(max-width: 1200px) 100vw, 1200px\" \/><figcaption class=\"wp-element-caption\">Screenshots of documents sent to the individual accidentally by Takealot with personal information redacted. <\/figcaption><\/figure>\n\n\n\n<p>Based on information from the individual, MyBroadband found that their email address was similar to that of a Takealot employee, which could explain why the blunder occurred in the first place.<\/p>\n\n\n\n<p>&#8220;The relevant teams have since been re-briefed on recipient verification procedures,&#8221; Norman said.<\/p>\n\n\n\n<p>&#8220;Additional process improvements are being implemented to strengthen controls and reduce the risk of a similar incident occurring in future.&#8221;<\/p>\n\n\n\n<p>TFS did not explain exactly how the error occurred, but it did say it intended to comply with any obligations under POPIA.<\/p>\n\n\n\n<p>The Information Regulator of South Africa has taken corrective steps against organisations found to have breached POPIA for similar errors.<\/p>\n\n\n\n<p>Consequences can be severe if an institution fails to report a privacy compromise to the regulator after becoming aware of it.<\/p>\n\n\n\n<p>On 20 May 2026, the Information Regulator issued <a href=\"https:\/\/inforegulator.org.za\/wp-content\/uploads\/2026\/05\/CJC-ENFORCEMENT-NOTICE-220526-redact_Redacted.pdf\">an enforcement notice<\/a> in terms of Section 95 of POPIA to the Central Johannesburg TVET College.<\/p>\n\n\n\n<p>According to the notice, the acting chief financial officer of the college accidentally attached Personal Credential Verification Reports containing people&#8217;s financial details in a mass email to staff.<\/p>\n\n\n\n<p>Despite the email being recalled two days after it was sent and the launch of an internal investigation, the regulator still issued an enforcement notice.<\/p>\n\n\n\n<p>&#8220;Recall&#8221; is a feature specific to Microsoft Outlook. Other email clients, including Gmail, do not honour Microsoft Outlook recall requests because Internet Engineering Task Force standards do not require it.<\/p>\n\n\n\n<p>Because of the way email protocols were designed, even if a message is recalled, there is also no guarantee that the original recipients did not read it or download sensitive information it contained.<\/p>\n\n\n\n<p>The Information Regulator criticised the TVET college for not having a registered Information Officer responsible for POPIA compliance. This is a non-negotiable compliance requirement under POPIA, it said.<\/p>\n\n\n\n<p>It also found that the TVET did not store sensitive information in separate file structures, using the same system as routine documents, without any access controls, separation, or safeguards.<\/p>\n\n\n\n<p>This particular point violated section 19 of the Act, it found. Finally, the fact that the TVET did not notify the regulator compounded the private data breach, which led to the issuing of the notice.<\/p>\n\n\n\n<p>The regulator said that the TVET would have to prove that it complied with recommendations, including sending notifications of the exposure and appointing an Information Officer within 60 days of the notice.<\/p>\n\n\n\n<p>&#8220;The Responsible Party which fails to comply with this Enforcement Notice is guilty of an offence and liable upon conviction to fine or to imprisonment for a period not exceeding 10 years,&#8221; it said.<\/p>\n\n\n\n<p>In 2023, the regulator fined the Department of Justice R5 million for repeatedly failing to comply with its recommendations following a ransomware attack that exposed over 1,200 files containing personal data.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Emails from a Takealot Fulfilment Solutions employee accidentally leaked private data belonging to drivers of the company for over two weeks.<\/p>\n","protected":false},"author":341213,"featured_media":651948,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[105669,63066,105668,66803,105667,18526,62830,995,101525],"class_list":["post-651452","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-central-johannesburg-tvet-college","tag-data-breaches","tag-information-breaches","tag-information-regulator-of-south-africa","tag-merlin-norman","tag-pansy-tlakula","tag-popia","tag-takealot","tag-takealot-fulfilment-solutions"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651452"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341213"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=651452"}],"version-history":[{"count":13,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651452\/revisions"}],"predecessor-version":[{"id":652035,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/651452\/revisions\/652035"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/651948"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=651452"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=651452"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=651452"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}