The Information Regulator is cracking the whip when it comes to non-compliance with South Africa’s data protection law, issuing Dis-Chem with an enforcement notice.
This comes less than two months after enforcement notices were issued to the South African Police Service and Department of Justice and Constitutional Development. The latter was fined R5 million for not complying with one of the conditions in the enforcement notices.
In a statement, the information watchdog says Dis-Chem was issued with the enforcement notice on 31 August, after finding it contravened various sections of the Protection of Personal Information Act (POPIA).
The regulator has instructed the pharmacy retail giant to provide a report on the implementation of the actions ordered in the enforcement notice within 31 days.
Should the company fail to comply with the POPIA-related enforcement notice within the stipulated timeframe, it will be guilty of an offence, facing an administrative fine not exceeding R10 million, or be liable upon conviction to imprisonment, or both, it states.
The regulator’s enforcement notice is the result of the data breach Dis-Chem suffered in 2022.
In May, Dis-Chem fell victim to a cyber attack that emanated from its third-party service provider, Grapevine, and resulted in data of over 3.6 million South Africans being compromised.
The affected records in this database were limited to names and surnames, e-mail addresses and cellphone numbers of the data subjects.
According to the regulator, Dis-Chem became aware of the security compromise on 1 May 2022, and subsequently notified it on 5 May 2022, in writing.
The regulator says it then conducted an own initiative assessment into the security compromise following Dis-Chem’s failure to notify data subjects as required by section 22 of POPIA.
“Following the assessment, the regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.”
The regulator notes its assessment found that Dis-Chem failed to identify the risk of using weak passwords and prevent the usage of such passwords, put in place adequate measures to monitor and detect unlawful access to its environment, enter into an operator agreement with Grapevine, and ensure Grapevine has adequate security measures in place to secure personal information in its possession.
Furthermore, the agreement would have outlined the processes of reporting to Dis-Chem in the event of a security compromise, says the regulator.
In the enforcement notice, the regulator orders Dis-Chem to:
- Conduct a personal information impact assessment to ensure adequate measures and standards exist to comply with the conditions for the lawful processing of personal information as required by Regulation 4(1)(b) of POPIA.
- Implement an adequate incident response plan. Implement the Payment Card Industry Data Security Standards by maintaining a vulnerability management programme, implement strong access control measures and maintain an information security policy.
- Ensure it concludes written contracts with all operators that process personal information on its behalf, and that such contracts compel the operator(s) to establish and maintain same or better security measures referred to in section 19 of POPIA.
- Develop, implement, monitor and maintain a compliance framework, in terms of Regulation 4(1)(a) of POPIA, which clearly makes provision for the reporting obligations of Dis-Chem and all its operators in terms of section 22 of POPIA.
Flexing its muscle
Faced with an increased number of complaints over the unlawful processing of personal information, the Information Regulator last year announced the establishment of an Enforcement Committee.
Data breaches exposing the personal information of members of the public continue to rise in South Africa. In June, the regulator revealed it had received 1 021 data breach notifications.
The CSIR estimates the impact of cyber crime on the South African economy to be at R2.2 billion per annum, amid the country’s worsening data security and privacy environment.
Systems integrator Dimension Data and its subsidiary Merchants in March acknowledged a “limited” breach experienced on their call management system platform that exposed client data.
Additionally, a glitch in big-four bank FNB’s mobile app exposed personal information of customers applying for home loans using the digital platform. The exposed data included personal identifiable information, such as names, identity numbers and contact details.
Subsea cable operator Seacom last month confirmed a cyber attack, saying the incident impacted a small number of its customers.
In September 2021, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of its services.
In August 2020, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.