Skip to main content

Dis-Chem hits back at privacy watchdog over data breach findings

| Supplier news

By: Jan Vermeulen - MyBroadband

Dis-Chem has hit back at the Information Regulator after the privacy watchdog slammed the pharmacy group with an enforcement notice over a data breach last May.

The regulator ordered Dis-Chem to sharpen its security processes or face penalties, including a fine of up to R10 million, imprisonment, or both.

According to the regulator’s findings, a data breach at third-party service provider Grapevine exposed the contact details of 3.6 million Dis-Chem customers.

An attacker had successfully guessed the password, via brute-force attack, of a user with access to Dis-Chem’s e-Statement Service database, which Grapevine managed.

“The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects,” the regulator stated.

Responding to the enforcement notice, Dis-Chem issued a statement disputing the accuracy of some of the regulator’s allegations.

“Dis-Chem confirms it has already responded to and actioned all orders contained in the Enforcement Notice and will report to the regulator within 31 days as requested,” the company said.

“The company confirms that the data held by the third-party provider was restricted to mailing details only and did not contain any sensitive medical, financial, or banking information.”

It assured that third parties could never have access to this type of information.

“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects as it followed all required POPI guidelines to ensure that customers were immediately made aware of the breach,” the company said.

“A formal notice was published on the Dis-Chem website, and a media statement was released nationally.”

While the Information Regulator’s media statement about its enforcement notice did allege Dis-Chem failed to notify customers properly, that wasn’t the meat of its findings against the pharmacy group.

In its assessment, the regulator found that Dis-Chem failed to:

  • Identify the risk of using weak passwords and prevent the usage of such passwords.
  • Put in place adequate measures to monitor and detect unlawful access to their environment.
  • Enter into an operator agreement with Grapevine and ensure it has adequate security measures in place to secure personal information in its possession.

As part of the remedial action Dis-Chem must take, the regulator also ordered that the company implement an adequate Incident Response Plan.

This includes implementing the Payment Card Industry Data Security Standards (PCI DSS) by maintaining a vulnerability management programme, implementing strong access control measures, and maintaining an Information Security Policy.

Dis-Chem said the allegation that it did not implement an adequate Incident Response Plan by implementing PCI DSS has no bearing at all, and is irrelevant to the enforcement notice.

“Dis-Chem is fully PCI DSS compliant, and the third-party provider has no access to or involvement in card payments,” the company stated.

“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat,” it continued.

“The company has responded to the regulator via written communication on all concerns raised.”

Dis-Chem said it has, and will, continue to work with the regulator to ensure full compliance on “any relevant and accurate” areas of concern.

“Dis-Chem has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority.”

Related Articles

Festive family fashion alert - Pick n Pay unvei...

Forget fugly clichéd holiday-themed jerseys: matching family pyjamas is the latest craze for the holidays and is flying off the shelves, says Pick n Pay Clothing.

Liberty Accelerates Unclaimed Benefits Pay Outs 

As part of its ongoing Unclaimed Benefits Funds tracing efforts, this year, Liberty has identified in excess of 13 000 people and paid over R105 million to members and beneficiaries who had a legitimate claim.

Shoprite and Checkers support small suppliers t...

Shoprite and Checkers are helping small suppliers grow their volumes this Black Friday as customers flock to its stores looking for value on everyday essentials and groceries between Thursday, 23 November and Sunday, 26 November 2023. 

Supermarket chain set to appeal judgment in ‘si...

By: Chevon Booysen - IOL Retail giant Pick n Pay has indicated its intention to appeal a Western Cape High Court judgment to damage all print works, all printed materials, product packaging, and the like bearing the infringing get-ups similar to ...

Woolies pulls Israeli couscous after 'credible'...

By: Ahmed Areff – Fin24 Woolworths has pulled Israeli-imported pearl couscous from its shelves, but has emphasised that the move was preemptive due to threats it received and not because it supported a boycott of the country’s products or was pro...