Cape Town - Just when South Africans were getting over the mid-March massive cyberattack at credit bureau TransUnion, another company has suffered the same fate.
This time it’s the pharmacy group Dis-Chem. The group posted a notice on its website alerting customers that one of its third-party service providers suffered a data compromise on Thursday, April 28, affecting 3.68 million of its customers.
“We have since taken the necessary measures in conjunction with our operator to determine the scope of the compromise and to restore the integrity of our operator’s information system,” read the notice.
Dis-Chem explained that they are contracted to a third-party service provider and operator for certain managed services. In these circumstances, the operator developed a database for Dis-Chem which contained certain categories of personal information necessary for the services offered by Dis-Chem.
“It was brought to our attention on 1 May 2022, that an unauthorised party had managed to gain access to the contents of the database. Upon being made aware of the incident, we immediately commenced an investigation into the matter to ensure that the appropriate steps were taken to prevent any further incidents.”
The company said at the moment there is no indication that any personal information has been published or misused as a result of the incident.
“We stress that no identification numbers, medical, financial or banking information was contained in this database. However, we cannot guarantee that this position will remain the same in future.
“Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”
Dis-Chem’s own investigation has revealed that the incident affected a total of 3 687 881 data subjects and that first name and surname, email addresses, and cellphone numbers were accessed.
They added that based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, email compromises, social engineering and/or impersonation attempts.
“For example, it may be cross-referenced with information compromised in other third-party cyber incidents, for the further perpetration of crime against data subjects.”
Renowned cybersecurity expert, co-founder and CEO of GoldPhish Dan Thornton weighed in on the implications for consumers affected and urges businesses across South Africa to treat their data with care to avoid cyberattacks where criminal networks will use the data to launch targeted social engineering scams and extortion attacks against the subjects.
“This is a clear case of a supply chain cyber security attack,” he said.
“Most organisations rely on suppliers to deliver products, systems and services. Gone are the days when businesses are hosting and managing absolutely everything, including an on-premise server room; these are generally being outsourced to hi-tech companies. But, supply chains can be large and complex, involving many suppliers fulfilling various functions.
“Effectively securing the supply chain can be challenging for businesses because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain, causing damage and disruption.”
He added that it’s never great for the data subjects or a company’s reputation when a data breach involves personal information being lost to attackers.
“However, it seems the dataset in the case of this Dis-Chem breach is fairly limited. Other than a potential increase in spam emails and spam calls, this breach doesn't really place the data subjects at any major increased risk from cybercriminals.”
He further explained that if the breached data set had included plain text passwords (not encrypted), financial data, or sensitive personal medical data on the subjects, this breach’s implications on consumers would be very different.
“This type of data is extremely valuable on the dark web where attackers can sell it on to criminal networks who will, in turn, use the data to launch targeted social engineering scams and extortion attacks against the subjects.”