Dis-Chem avoids potential R10-million fine for data breach

South African pharmaceutical group Dis-Chem has avoided a potential fine of up to R10 million for not doing enough to secure its customers’ private data.

This comes after South Africa’s Information Regulator closed a file on a data breach that happened in early 2022, which had led to 3.6 million Dis-Chem customers’ personal information being exposed in a cyberattack.

The regulator found that Dis-Chem had complied with an enforcement notice issued against it in September 2023, which demanded the company take certain steps to address its failure to protect customers’ data or face an administrative fine of up to R10 million.

Hackers gained access to customers’ names, email addresses, and cellphone numbers using brute force attacks on the e-Statement Service, which was managed by Grapevine.

Following an investigation into the incident, the regulator determined that Dis-Chem had failed to:

• Identify the risk of using weak passwords and prevent the usage of such passwords.
• Put in place adequate measures to monitor and detect unlawful access to their environment.
• Enter into an operator agreement with Grapevine and ensure it had adequate security measures to secure personal information in its possession.

The regulator subsequently ordered Dischem to take several steps and provide feedback on their implementation within 31 days of the issuing and receipt of the enforcement notice.

The order included that Dis-Chem should:

• Conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA.
• Implement an adequate Incident Response Plan: Implement the Payment Card Industry Data Security Standards (PCIDSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.
• Ensure that it concludes written contracts with all operators who process personal information on its behalf and that such contracts compel the operator(s) to establish and maintain the same or better security measures referred to in section 19 of POPIA.
• Develop, implement, monitor, and maintain a compliance framework in terms of Regulation 4(1)(a) of POPIA, which clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.

Had Dis-Chem failed to abide by the order, the regulator said it could impose an administrative fine of an amount not exceeding R10 million or slap those deemed responsible for failing to secure customers’ data with a prison conviction.