Retail pharmacy group Dis-Chem has been found guilty of contravening various sections of the Protection of Personal Information Act (POPIA) after a cyber-attack compromised the personal records of more than three million South Africans last year.
The Information Regulator has now given the retailer instructions to ensure people’s personal information is sufficiently safeguarded, or face a fine of up to R10 million or even imprisonment.
The security breach, which occurred in April 2022, saw the names, email addresses, and contact details of 3,6 million South Africans accessed by cyber criminals.
The data was compromised when one of Dis-Chem’s third-party service providers, Grapevine, was hacked. This operator had developed a database for the retailer which contained certain categories of personal information necessary for the services offered by Dis-Chem.
On Wednesday, the Regular issued an Enforcement Notice to Dis-Chem after it found the retailer to have contravened various sections of POPIA. The Regulator had conducted its own-initiative assessment into the security compromise after Dis-Chem failed to notify data subjects as required by section 22 of the Act.
“Following the assessment, the Regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.”
The Regulator’s assessment found that Dis-Chem failed to:
- identify the risk of using weak passwords and prevent the usage of such passwords
- put in place adequate measures to monitor and detect unlawful access to their environment
- enter into an operator agreement with Grapevine and ensure it had adequate security measures in place to secure personal information in its possession. Furthermore, the agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise
The Enforcement Notice has ordered Dis-Chem to take the following actions:
- conduct a Personal Information Impact Assessment to ensure that adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA
- implement an adequate Incident Response Plan
- implement the Payment Card Industry Data Security Standards (PCIDSS) by maintaining a vulnerability management programme
- implement strong access control measures and maintain an Information Security Policy
- ensure that it concludes written contracts with all operators who process personal information on its behalf, and that such contracts compel the operator(s) to establish and maintain same or better security measures referred to in section 19 of POPIA
- develop, implement, monitor, and maintain a compliance framework, in terms of Regulation 4(1)(a) of POPIA which clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.
Dis-Chem needs to provide a report to the Regulator on the implementation of the actions ordered in the Enforcement Notice within 31 days of the issuing and receipt. Should it fail to do so by in that time-frame, it could be found guilty of an offence and face a fine of up to R10m, imprisonment, or both.