By: Jan Vermeulen - MyBroadband

Dis-Chem has hit back at the Information Regulator after the privacy watchdog slammed the pharmacy group with an enforcement notice over a data breach last May.

The regulator ordered Dis-Chem to sharpen its security processes or face penalties, including a fine of up to R10 million, imprisonment, or both.

According to the regulator’s findings, a data breach at third-party service provider Grapevine exposed the contact details of 3.6 million Dis-Chem customers.

An attacker had successfully guessed the password, via brute-force attack, of a user with access to Dis-Chem’s e-Statement Service database, which Grapevine managed.

“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” the regulator stated.

Responding to the enforcement notice, Dis-Chem issued a statement disputing the accuracy of some of the regulator’s allegations.

“Dis-Chem confirms it has already responded to and actioned all orders contained in the Enforcement Notice and will report to the regulator within 31 days as requested,” the company said.

“The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information.”

It assured that third parties could never have access to this type of information.

“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach,” the company said.

“A formal notice was published on the Dis-Chem website, and a media statement was released nationally.”

While the Information Regulator’s media statement about its enforcement notice did allege Dis-Chem failed to notify customers properly, that wasn’t the meat of its findings against the pharmacy group.

In its assessment, the regulator found that Dis-Chem failed to:

• Identify the risk of using weak passwords and prevent the usage of such passwords.
• Put in place adequate measures to monitor and detect unlawful access to their environment.
• Enter into an operator agreement with Grapevine and ensure it has adequate security measures in place to secure personal information in its possession.

As part of the remedial action Dis-Chem must take, the regulator also ordered that the company implement an adequate Incident Response Plan.

This includes implementing the Payment Card Industry Data Security Standards (PCI DSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.

Dis-Chem said the allegation that it did not implement an adequate Incident Response Plan by implementing PCI DSS has no bearing at all, and is irrelevant to the enforcement notice.

“Dis-Chem is fully PCI DSS compliant, and the third-party provider has no access to or involvement in card payments,” the company stated.

“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat,” it continued.

“The company has responded to the regulator via written communication on all concerns raised.”

Dis-Chem said it has, and will, continue to work with the regulator to ensure full compliance on “any relevant and accurate” areas of concern.

“Dis-Chem has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority.”