Dis-Chem must take action after 3.6m clients were hacked – or face millions in fines, warns watchdog | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

  • The Information Regulator has ordered pharmacy group Dis-Chem to report back on remedial actions following after a third-party service provider was hacked.
  • The records of some 3.6 million customers were accessed, with the information regulator concluding weak passwords were involved.
  • But while the regulator says there was a failure to notify those affected, Dis-Chem disputes this, and says it has already implemented the required measures.
  • For more financial news, go to the News24 Business front page.

The Information Regulator has ordered Dis-Chem to take remedial action to address a hack that led to the personal data of 3.6 million customers being breached last year, or face a fine of up to R10 million, imprisonment, or both.

Dis-Chem had to report back to the constitutional body, which regulates both access to information and the protection of personal information, within 31 days of the actions it was taking.

The regulator said it had conducted an assessment following “Dis-Chem’s failure to notify data subjects” as required by the Protection of Personal Information Act (POPI Act), concluding that it “interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.”

This followed a breach at a third-party provider, with the regulator concluding that Dis-Chem failed to identify the risk of weak passwords, didn’t have sufficient monitoring, and didn’t have an operator agreement with its provider that ensured sufficient security measures were in place.

But Dis-Chem, which confirmed on Friday it had “already responded to and actioned all orders” contained in the regulator’s enforcement notice, and “disputed the accuracy of the allegations,” given that it had informed customers of the breach. But it added it would report to the regulator within the timeframe requested.

Around April and May 2022, Dis-Chem’s third-party service provider, Grapevine, suffered a “brute force attack”, which is an action aimed at cracking a password by continuously trying different combinations until the right combination is found.

The regulator said in a statement on Friday Dis-Chem became aware of the security compromise on 1 May through SMSes sent to some of its employees, with the pharmaceutical retailer notifying the regulator of the breach in writing four days later.

READ | Personal details for more than 3.6 million Dis-Chem customers accessed in data hack

The records of 3.6 million customers were accessed, but this was limited to names, surnames, email addresses and cellphone numbers.

Remedial actions

The regulator’s enforcement notice ordered Dis-Chem to conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the POPI Act.

It also had to, among other things, implement an adequate incident response plan and payment card industry data security standards (PCIDSS) by maintaining a “vulnerability management programme”. It also had to maintain an information security policy and introduce strong access control measures.


Dis-Chem also must have written contracts with all operators who process personal information on its behalf and ensure these agreements compelled its third-party providers to maintain the same, or better, security measures. The retailer must to develop, implement and monitor a compliance framework around its reporting obligations in terms of the Act.

Dis-Chem told News24 that the data held by the third-party provider was restricted and “did not contain any sensitive medical, financial or banking information”, adding that the provider “can never have access to this type of information”.

It said it “strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach”.

Not only was a formal notice published on the company website, but it also issued a national media statement about it, said Dis-Chem.

Dis-Chem said the allegation that it did not implement an adequate incident response plan by implementing the PCIDSS measures “had no bearing at all and is irrelevant to the enforcement notice”. It said it was “fully PCIDSS compliant, and the third-party provider has no access to or involvement in card payments”.

It added that after the breach it also implemented “all necessary steps and protocols to control access to the database and isolate the threat”.

“The company has responded to the regulator via written communication on all concerns raised. It has, and will, continue to work with the regulator to ensure full compliance on any relevant and accurate areas of concern.”

Dis-Chem said it had “always been acutely aware of the critical nature of securing data and makes data protection an absolute priority”.


Click Here For The Original Story From This Source.

National Cyber Security