Information Regulator pursues Dis-Chem over data breach

The Information Regulator has issued pharmacy chain Dis-Chem with an enforcement notice for various contraventions of the Protection of Personal Information Act (Popia).

“Around April and May 2022, Dis-Chem’s third-party service provider, Grapevine, suffered a brute-force attack by an unauthorised party. Approximately 3.6 million data subjects’ records were accessed from Dis-Chem’s e-statement service database which was managed by Grapevine,” the regulator said in a statement on Friday.

“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” it said.

In its assessment of the data breach, the Information Regulator found that Dis-Chem failed to identify the risk of using weak passwords and to put measures in place to detect unlawful access to their system or, at the very least, secure an agreement with Grapevine to have adequate security measures in place along with reporting protocols in the event of a breach.

According to the enforcement notice, Dis-Chem must now conduct a personal information impact study to ensure that its systems are Popia compliant.

This must be supplemented by an incident response plan to better deal with future breaches. The pharmacy chain must also update all its contracts with operators that process personal information on Dis-Chem’s behalf, like Grapevine, to compel them to become Popia compliant.

Read: Average SA data breach now costs nearly R50-million

Dis-Chem must implement these and other stipulations in the enforcement notice and provide a report to the regulator within 31 days of its issuance. Should Dis-Chem not abide by these guidelines, if will find itself liable to a fine of up to R10-million, similar to the R5-million fine the regulator issued to the department of justice in July.

Dis-Chem could not immediately be reached for comment.  – © 2023 NewsCentral Media

Get the latest tech news in your inbox at 5am daily