Dis-Chem flags data hack affecting over 3.6m customers

JSE-listed pharmacy retail and healthcare group Dis-Chem has issued a notice on its website alerting customers that one of its third-party service providers suffered a data compromise on Thursday April 28, affecting 3.68 million of its customers.

Dis-Chem says an investigation of the breach – which it became aware of on May 1 – revealed that hackers were able to gain access to the names, email addresses and cellphone numbers of the affected customers.

Read: SA businesses are actively improving their cybersecurity – study

“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents,” the group points out.

The retailer assured customers that there is currently no indication that their information has been published or used by the hackers. However, it did also warn that this might not be the case for long.

“Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts,” the notice reads.

Dis-Chem further noted that in such cases hackers can cross-reference the compromised information with data stolen in other cyber attacks, forming part of an elaborate criminal scheme.

In its notice the group did not mention the third-party service provider that was hit by the cyber attack.

TransUnion hack

In mid-March, credit bureau TransUnion South Africa suffered a massive cyber attack which saw a hacker group calling itself N4aughtysecTU accessing various client information like credit scores, banking details and ID numbers of at least 54 million clients.

Read: Deadline passes for R220m extortion demand in TransUnion cyber attack

In this incident hackers demanded TransUnion to pay a $15 million ransom in bitcoin – about R220 million – to prevent the leaking of the sensitive information, however TransUnion refused to do so.

The newly established Information Regulator South Africa says while it is still investigating the cyber attack on TransUnion, attacks on personal information have been on the rise.

“Unfortunately, instances of data breaches are on the increase. With our enforcement powers having come into effect in July 2021 we remind the responsible parties of their obligation to report security compromises to the regulator,” Mukelani Dimba, head of education and communication at the watchdog says in a statement to Moneyweb.

“Failure to do so is violation of the provisions of POPIA [Protection of Personal Information Act] and we will hold parties guilty of such a violation accountable for such non-compliance.”

Practice caution

Meanwhile, Dis-Chem says the affected third-party service provider has made of use of additional safeguards to strengthen security and prevent further breaches.

However, the group did caution customers to remain cautious and recommended the following:

• Do not click on any suspicious links.
• Refrain from disclosing any passwords or PINs via email, text or even social media platforms.
• Change your passwords often and ensure there is complexity in the configuration (i.e. with the use of special characters).
• Ensure regular anti-virus and malware scans are performed on any electronic devices and check software is up to date.
• Only provide personal information when there is a legitimate reason to do so.

Dis-Chem further adds that it has employed the assistance of specialists who will monitor the web and dark web to detect the publication of the data stolen by the hackers.