Dis-Chem, a pharmacy and retailer in South Africa, has been instructed by the country’s Information Regulator to take corrective measures or face a fine of up to R10 million after a data breach that occurred over a year ago.
- The breach compromised the personal data of approximately 3.6 million Dis-Chem customers. The compromised information, stored in a database managed by third-party company Grapevine, included names, surnames, email addresses, and mobile phone numbers.
- The Information Regulator determined that Dis-Chem failed to notify affected customers about the breach, which violated section 22 of the Protection of Personal Information Act (Popia).
- Dis-Chem, however, disputes the charge, stating that it published a formal notice on its website and issued a national media statement following the incident in May 2022.
- The regulator’s investigation revealed that Dis-Chem did not adequately identify the risk of weak passwords and did not implement sufficient measures to monitor and detect unauthorized access to its systems.
- Grapevine experienced a brute force attack, where a malicious party repeatedly attempts different character combinations to crack a password until they succeed.
- To address the issue, Dis-Chem has been instructed to conduct a personal information impact assessment, establish written contracts with all operators processing personal data on its behalf, and ensure the implementation of robust security measures.