Skip to main content

Dis-Chem hits back at privacy watchdog over data breach findings

| Supplier news

By: Jan Vermeulen - MyBroadband

Dis-Chem has hit back at the Information Regulator after the privacy watchdog slammed the pharmacy group with an enforcement notice over a data breach last May.

The regulator ordered Dis-Chem to sharpen its security processes or face penalties, including a fine of up to R10 million, imprisonment, or both.

According to the regulator’s findings, a data breach at third-party service provider Grapevine exposed the contact details of 3.6 million Dis-Chem customers.

An attacker had successfully guessed the password, via brute-force attack, of a user with access to Dis-Chem’s e-Statement Service database, which Grapevine managed.

“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” the regulator stated.

Responding to the enforcement notice, Dis-Chem issued a statement disputing the accuracy of some of the regulator’s allegations.

“Dis-Chem confirms it has already responded to and actioned all orders contained in the Enforcement Notice and will report to the regulator within 31 days as requested,” the company said.

“The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information.”

It assured that third parties could never have access to this type of information.

“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach,” the company said.

“A formal notice was published on the Dis-Chem website, and a media statement was released nationally.”

While the Information Regulator’s media statement about its enforcement notice did allege Dis-Chem failed to notify customers properly, that wasn’t the meat of its findings against the pharmacy group.

In its assessment, the regulator found that Dis-Chem failed to:

  • Identify the risk of using weak passwords and prevent the usage of such passwords.
  • Put in place adequate measures to monitor and detect unlawful access to their environment.
  • Enter into an operator agreement with Grapevine and ensure it has adequate security measures in place to secure personal information in its possession.

As part of the remedial action Dis-Chem must take, the regulator also ordered that the company implement an adequate Incident Response Plan.

This includes implementing the Payment Card Industry Data Security Standards (PCI DSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.

Dis-Chem said the allegation that it did not implement an adequate Incident Response Plan by implementing PCI DSS has no bearing at all, and is irrelevant to the enforcement notice.

“Dis-Chem is fully PCI DSS compliant, and the third-party provider has no access to or involvement in card payments,” the company stated.

“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat,” it continued.

“The company has responded to the regulator via written communication on all concerns raised.”

Dis-Chem said it has, and will, continue to work with the regulator to ensure full compliance on “any relevant and accurate” areas of concern.

“Dis-Chem has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority.”

Pin It

Related Articles

Veggie victory as Joburg High Court sets aside ...

By: Sarene Kloren - IOL Lifestyle A new ruling by the South Gauteng High Court in Joburg has overturned an interim interdict to forestall and prevent the seizure of plant-based meat alternatives from South African retail shelves.

Benylin Paediatric Syrup recalled, investigatio...

By: Given Majola – IOL Business Report The SA Health Products Regulatory Authority (Sahpra) together with the South African manufacturer of Benylin Paediatric Syrup – Kenvue (formerly Johnson & Johnson) – have recalled two batches of the coug...

Tiger Brands invests in a multi-million-rand Pe...

Black Cat, South Africa’s most loved peanut butter brand, has a new home following a R300-million capital investment by Tiger Brands. The new peanut butter manufacturing facility is in Chamdor, Krugersdorp, on Johannesburg’s West Rand.

Eskom price hikes are here — How much more cust...

By: Hanno Labuschagne - MyBroadband Eskom’s latest tariff hikes will see many direct residential customers paying between R168 and R792 more per month on their electricity bills.

Take heed of these new retail trends that emerg...

By Karen Keylock | National Retail Services Manager at Nedbank Commercial Banking South African consumers are under financial strain and, consequently, the way they shop has changed. And with further economic uncertainty expected in the coming ye...