Pharmaceutical retail giant Dis-Chem has disputed claims by the Information Regulator of South Africa after it was issued an Enforcement Notice for contravening various sections of the Protection of Personal Information Act (POPIA).
According to the Information Regulator, in April and May last year, Dis-Chem’s third-party service provider, Grapevine, suffered a cyber attack.
“On May 1 Dis-Chem became aware of the security compromise, through SMSs sent to some of its employees, and on May 5, Dis-Chem then notified the Regulator in writing of this.”
“Approximately 3.6 million data subjects’ records were accessed from Dis-Chem’s e-Statement Service database which was managed by Grapevine. The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects.”
The Regulator said it conducted its own assessment into the matter “following Dis-Chem’s failure to notify data subjects as required by section 22 of POPIA”.
The Regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.
Dis-Chem was found to have failed to identify the risk of using weak passwords and prevent the usage of such passwords; put in place adequate measures to monitor and detect unlawful access to their environment; enter into an operator agreement with Grapevine and ensure that Grapevine had adequate security measures in place to secure personal information in its possession.
The Enforcement Notice orders Dis-Chem to, among others, conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA. The Notice also orders Dis-Chem to implement an adequate Incident Response Plan; implement the Payment Card Industry Data Security Standards (PCIDSS) by maintaining a vulnerability management programme; implement strong access control measures and maintain an Information Security Policy.
“Should Dis-Chem fail to abide by the Enforcement Notice within the stipulated timeframe (31 days), it will be guilty of an offence, on which the Regulator may impose an administrative fine of an amount not exceeding R10 million or be liable upon conviction to imprisonment or both.”
The company said that it had already responded to and actioned all orders contained in the Enforcement Notice.
“The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information.
The provider can never have access to this type of information. Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach. A formal notice was published on the Dis-Chem website and a media statement was released nationally,” said Dis-Chem.
The allegation that it did not implement an adequate Incident Response Plan by implementing the PCIDSS had no bearing and was irrelevant to the enforcement notice.
Cape Times