Dis-Chem has been found guilty of contravening the Protection of Personal Information Act.
The Information Regulator has ordered pharmacy chain Dis-Chem to take remedial action to address a hack that led to the personal data of 3.6 million customers being breached last year, or face a fine of up to R10 million, imprisonment, or both.
The Regulator issued an enforcement notice to Dis-Chem on Thursday, 31 August following a finding of the contravention of various sections of the Protection of Personal Information Act (Popia).
Dis-Chem had to report back to the constitutional body within 31 days of the actions it was taking.
“Following the assessment, the Regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information,” it said.
The Regulator’s assessment found that Dis-Chem failed to identify the risk of weak passwords, didn’t have sufficient monitoring, and didn’t have an operator agreement with its provider that ensured sufficient security measures were in place.
Responding to the enforcement notice, Dis-Chem issued a statement disputing the accuracy of some of the Regulator’s allegations.
“Dis-Chem confirms it has already responded to and actioned all orders contained in the Enforcement Notice and will report to the Regulator within 31 days as requested.
“The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information,” it said.
Around April and May 2022, Dis-Chem’s third-party service provider, Grapevine, suffered a “brute force attack”, which is an action aimed at cracking a password by continuously trying different combinations until the right combination is found.
The Regulator said Dis-Chem became aware of the security compromise on 1 May through SMSes sent to some of its employees, with the pharmaceutical retailer notifying the Regulator of the breach in writing four days later.
The records of 3.6 million customers were accessed, but this was limited to names, surnames, email addresses and cellphone numbers.
The Regulator’s enforcement notice ordered Dis-Chem to conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the Popia.
Dis-Chem also had to implement an adequate incident response plan and payment card industry data security standards (PCIDSS) by maintaining a “vulnerability management programme” and maintain an information security policy and introduce strong access control measures.