Dis-Chem hits back at POPIA violation enforcement notice

Simnikiwe Mzekandaba
By Simnikiwe Mzekandaba, IT in government editor
Johannesburg, 04 Sept 2023
A Dis-Chem cyber attack resulted in data of over 3.6 million South Africans being compromised.
A Dis-Chem cyber attack resulted in data of over 3.6 million South Africans being compromised.

Dis-Chem says it “strongly disputes” claims it did not comply with various sections of the Protection of Personal Information Act (POPIA) after its May 2022 data breach.

This, after the Information Regulator revealedit issued Dis-Chem with an enforcement notice for contravention of various sections of POPIA.

The regulator says it conducted its own initiative assessment into the security compromise following “Dis-Chem’s failure to notify data subjects as required by section 22 of POPIA”.

Through its assessment, the regulator says it determined Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.

Further, the information watchdog gave Dis-Chem 31 days to provide a report on the implementation of the actions ordered in the enforcement notice.

However, the pharmacy retail giant has disputed the accuracy of the allegations, saying it has already responded to and actioned all orders contained in the enforcement notice and will report to the regulator within 31 days as requested.

Says Dis-Chem: “The company confirms the data held by the third-party provider was restricted to mailing details only, and did not contain any sensitive medical, financial, or banking information. The provider can never have access to this type of information.

“Dis-Chem strongly disputes the regulator’s claim that it failed to notify data subjects, as it followed all required POPIA guidelines to ensure customers were immediately made aware of the breach. A formal notice was published on the Dis-Chem website and a media statement was released nationally.”

According to Dis-Chem, the allegation it did not implement an adequate incident response plan by implementing the Payment Card Industry Data Security Standards (PCIDSS) has no bearing at all and is irrelevant to the enforcement notice.

“Dis-Chem is fully PCIDSS-compliant, and the third-party provider has no access to, or involvement in card payments.

“Following the data breach, Dis-Chem implemented all necessary steps and protocols to control access to the database and isolate the threat. The company has responded to the regulator via written communication on all concerns raised. It has, and will, continue to work with the regulator to ensure full compliance on any relevant and accurate areas of concern.

“Dis-Chem has always been acutely aware of the critical nature of securing data and makes data protection an absolute priority.”