The Information Regulator has ordered Dis-Chem to take remedial action to address a hack that led to the personal data of 3.6m customers being breached last year, or face a fine of up to R10m, imprisonment, or both, reports Fin24.

Dis-Chem had to report back to the constitutional body within 31 days of the actions it was taking. 

The regulator said it had conducted an assessment following ‘Dis-Chem’s failure to notify data subjects’ as required by the Protection of Personal Information (POPI) Act, concluding it ‘interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information'.

This followed a breach at a third-party provider, with the regulator concluding that Dis-Chem failed to identify the risk of weak passwords, didn't have sufficient monitoring, and didn't have an operator agreement with its provider that ensured sufficient security measures were in place.

But Dis-Chem, which confirmed on Friday it had ‘already responded to and actioned all orders’ contained in the regulator's enforcement notice, ‘disputed the accuracy of the allegations,’ given that it had informed customers of the breach.

But it added it would report to the regulator within the timeframe requested.

Around April and May 2022, Dis-Chem's third-party service provider, Grapevine, suffered a ‘brute force attack’, which is an action aimed at cracking a password by continuously trying different combinations until the right combination is found.

The regulator said Dis-Chem became aware of the security compromise on 1 May through SMSes sent to some of its employees, with the pharmaceutical retailer notifying the regulator of the breach in writing four days later.

The records of customers were accessed, but this was limited to names, surnames, email addresses and cellphone numbers.

The regulator's enforcement notice ordered Dis-Chem to conduct a personal information impact assessment to ensure that adequate measures and standards exist to comply with the Popi Act.

It also had, among other things, to implement an adequate incident response plan and payment card industry data security standards by maintaining a ‘vulnerability management programme’, reports Fin24.

Dis-Chem said it strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach’.

Full Fin24 report

See also full Business Day report