The Information Regulator (IR) has given Dis-Chem Pharmacies Limited a deadline to enhance the protection of its customers’ personal information and comply with the Protection of Personal Information Act (Popia), or it may be fined up to R10 million.
The retail pharmacy chain has 31 days to comply with the actions contained in an enforcement notice issued by the IR on 31 August.
But Dis-Chem has disputed the accuracy of the allegations made by the Regulator and said it has already actioned all the orders in the enforcement notice.
In April and May 2022, an unauthorised party launched a “brute force attack” on Grapevine, Dis-Chem’s third-party service provider. A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found.
On 1 May, Dis-Chem became aware of the security compromise, or data breach, through SMSs sent to some of its employees, and on 5 May, Dis-Chem notified the Regulator of the security compromise.
About 3.6 million data subjects’ records were accessed from Dis-Chem’s e-statement service database, which was managed by Grapevine. The affected records were limited to the names and surnames, email addresses, and cellphone numbers of the data subjects (the individuals to whom the personal information relates).
In a statement, the IR said Dis-Chem failed to notify the data subjects of the data breach, as required by section 22 of Popia.
The Regulator said following an assessment, it determined that Dis-Chem had interfered with the protection of the data subjects’ personal information, and thus breached the conditions for the lawful processing of personal information.
According to the Regulator, the assessment found that Dis-Chem failed to:
- identify the risk of using weak passwords and prevent the use of such passwords,
- put in place adequate measures to monitor and detect unlawful access to its environment, and
- enter an operator agreement with Grapevine and ensure that Grapevine had adequate measures in place to secure the personal information in its possession. The agreement would have outlined the processes of reporting to Dis-Chem in the event of a security compromise.
The Regulator’s enforcement notice ordered Dis-Chem to, among other things:
- Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information, as required by Regulation 4(1)(b) of Popia.
- Implement an adequate Incident Response Plan. This includes implementing the Payment Card Industry Data Security Standards (PCI DSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.
- Conclude written contracts with all operators that process personal information on its behalf. The contracts must compel the operators to establish and maintain the same or better security measures referred to in section 19 of Popia.
- Develop, implement, monitor, and maintain a compliance framework, in terms of Regulation 4(1)(a) of Popia that clearly provides for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of Popia.
Dis-Chem must provide a report to the Regulator on the implementation of the actions ordered in the enforcement notice within 31 days of its issuing and receipt.
If DisChem fails to abide by the enforcement notice within the stipulated timeframe, it will be guilty of an offence. The sanctions include an administrative fine of up to R10m, imprisonment if convicted, or both.
Dis-Chem says it notified the affected customers
In a statement on 1 September, Dis-Chem agreed with the IR’s finding that the data breach was restricted to customer data relating only to mailing information, stating that no “medical, financial or banking information” had been breached because the service provider, Grapevine, “can never have access to this type of information”.
But the retailer disputed the Regulator’s claim that it failed to notify the affected data subjects. Dis-Chem said it “followed all required Popia guidelines to ensure that customers were immediately made aware of the breach. A formal notice was published on the Dis-Chem website and a media statement was released nationally.”
Dis-Chem said the allegation that it did not implement an adequate Incident Response Plan by implementing the PCI DSS measures “had no bearing at all and is irrelevant to the enforcement notice” because Grapevine played no role in card payments and therefore did not hold any customer card data in its possession.
It added that after the breach it also implemented “all necessary steps and protocols to control access to the database and isolate the threat”.
“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat. The company has responded to the regulator via written communication on all concerns raised. It has, and will, continue to work with the regulator to ensure full compliance on any relevant and accurate areas of concern,” the retailer said.
Dis-Chem said it “has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority”.
Is your organisation compliant?
Click on the links below to understand:
- Who are the role players in Popia,
- Why Popia’s eight processing principles are important,
- To whom Popia applies,
- Why compliance with Popia matters,
- The benefits of complying with Popia, and
- How to comply with Popia.
If you need assistance with structuring your Privacy Governance Framework, please visit Moonstone Compliance’s Privacy Governance page.