• Home
  • /
  • Channel
  • /
  • DiData confirms ‘limited’ breach on call centre platform

DiData confirms ‘limited’ breach on call centre platform

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 03 Mar 2023

Systems integrator Dimension Data and its subsidiary Merchants have acknowledged a “limited” breach experienced on their call management system (CMS) platform that exposed client data.

ITWeb understands the CMS platform is used by blue chip companies, such as MultiChoice, Massmart, South African Airways, Tymebank, Virgin Active, Massbuild, Makro, AbinBev and Britehouse, among others.

ITWeb also understands the CMS platform in question is provided by US-based multinational Avaya, which recently filed for bankruptcy for the second time in six years.

As a systems integrator, Dimension Data builds computing systems for clients by combining hardware, software, networking and storage products from multiple vendors.

An “engineer who has been with Dimension Data for more than five years” reached out to ITWeb about the breach. It was claimed the users of the CMS platform could easily access each other’s data as a result of the vulnerability. It was alleged the company knew about the vulnerability five years ago.

The anonymous author of the e-mailed allegations has since not replied to ITWeb’s follow-up questions on the matter.

In reply to ITWeb’s request for comment on the issue, Dimension Data said it and subsidiary Merchants are aware of a limited data breach involving some users on a CMS platform provided by one of their service providers.

However, Dimension Data did not comment on whether it was aware of the vulnerability five years ago, as alleged.

“It is important to clarify that [the breach] was limited to visibility of name, surname and company only,” stated Dimension Data.

“There has been no exposure of any additional or sensitive personal information whatsoever. In line with our strong governance controls, as well as the Protection of Personal Information Act (POPIA), we have notified the Information Regulator.

“We regret that this has occurred, and any inconvenience caused to our clients. An internal investigation has been initiated. Dimension Data will not hesitate to take disciplinary action, should it be necessary.”

A Dimension Data unit, Merchants is a customer management firm specialising in business process outsourcing that delivers customer experience and customer interactions.

Merchants says it has been “creating and managing contact centre operations around the world to blue chip clients since 1981”.

A CMS ensures customers are receiving optimal responses to their calls within time, and tracks callers to improve relationships with those prospects and clients. The platform’s purpose is to track calls, obtain useful information from callers and route the calls to the right agent.

Under South Africa’s data privacy law, POPIA, organisations must inform the Information Regulator if they expose the personal information of data subjects to unauthorised third-parties without their approval.

The Dimension Data case comes as South African organisations continue to suffer mounting data breaches.

Last week, ITWeb reported a similar incident, whereby big-four bank FNB’s mobile app exposed personal information of customers applying for home loans using the digital platform.

In the FNB case, an FNB client who used the mobile app to apply for a home loan, would easily see the personal details of other home loan applicants.

The Information Regulator has also raised alarm over the increasing number of data breaches being reported by South Africans.

POPIA sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.

Breaching the rules and regulations outlined by this Act can have serious financial implications for the business – repercussions that can cost a fortune and have long-lasting consequences, such as reputational damage.

The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.