The Information Regulator has issued pharmacy chain Dis-Chem Pharmacies with an enforcement notice for various contraventions of the Protection of Personal Information Act (Popia).
“Around April and May 2022, Dis-Chem’s third-party service provider, Grapevine, suffered a brute-force attack by an unauthorised party. Some 3.7 million data subjects’ records were accessed from Dis-Chem’s e-statement service database which was managed by Grapevine,” the regulator said in a statement on Friday.
“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” it said.
In its assessment of the data breach, the Information Regulator found that Dis-Chem failed to identify the risk of using weak passwords and to put measures in place to detect unlawful access to their system or, at the very least, secure an agreement with Grapevine to have adequate security measures in place along with reporting protocols in the event of a breach.
According to the enforcement notice, Dis-Chem must now conduct a personal information impact study to ensure that its systems are Popia compliant.
This must be supplemented by an incident response plan to better deal with future breaches. The pharmacy chain must also update all its contracts with operators that process personal information on Dis-Chem’s behalf, like Grapevine, to compel them to become Popia compliant.
Dis-Chem must implement these and other stipulations in the enforcement notice and provide a report to the regulator within 31 days. Should Dis-Chem not abide by these guidelines, it will find itself liable to a fine of up to R10-million, similar to the R5-million fine the regulator issued to the department of justice in July.
TechCentral first reported about a data “incident” at Dis-Chem last year involving a “third-party service provider or operator” that had led to the compromise of millions of client records containing personal information. Dis-Chem did not name the third party at the time, but did say no sensitive medical, financial or banking information was contained in the database.
In a statement released on Friday, Dis-Chem disputed the accuracy of the Information Regulator’s allegations.
The pharmacy chain agreed with the assertion that the data breach was restricted to customer data relating only to mailing information, confirming that no “medical, financial or banking information” had been breached because “the [service] provider, Grapevine, can never have access to this type of information”.
However, Midrand-based Dis-Chem refuted the regulator’s claim that it was inadequate in its efforts to fulfil its reporting duties once the breach had occurred.
“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required Popia guidelines to ensure that customers were immediately made aware of the breach. A formal notice was published on the Dis-Chem website and a media statement was released nationally.”
Dis-Chem also dismissed the regulator’s stipulations regarding the failure to implement an incident response plan as per the Payment Card Industry Data Security Standards (PCI DSS), saying that the PCI DSS response plan “has no bearing at all and is irrelevant to the enforcement notice” because Grapevine, the compromised service provider, played no role in card payments and therefore did not hold any customer card data in its possession.
“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat. The company has responded to the regulator via written communication on all concerns raised. It has, and will, continue to work with the regulator to ensure full compliance on any relevant and accurate areas of concern,” the retailer said. – © 2023 NewsCentral Media