Over 3.6m records exposed in Dis-Chem cyber attack

Pharmacy retail giant Dis-Chem has become the latest South African organisation to fall victim to a cyber attack.

According to the company, the cyber incident emanating from its third-party service provider resulted in data of over 3.6 million South Africans being compromised.

The news comes barely two months after TransUnion’s systems were compromised, leaving millions of personal records of South Africans at the mercy of hackers.

In a notification in accordance with the country’s data privacy law, the Protection of Personal Information Act (POPIA), Dis-Chem says: “It was brought to our attention on 1 May 2022 that an unauthorised party had managed to gain access to the contents of the database.

“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure the appropriate steps were taken to prevent any further incidents.”

According to the firm, after investigating a suspected data compromise suffered by one of its third-party service providers and operators, “we hereby confirm and notify you in terms of section 22 of POPIA, that certain personal information was accessed by an unauthorised person on or about 28 April 2022”.

The company says it has since taken the necessary measures in conjunction with its operator to determine the scope of the compromise and restore the integrity of the operator’s information system.

It adds there is currently no indication that any personal information has been published or misused as a result of the incident.

“However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”

Dis-Chem explains that it had contracted with a third-party service provider and operator for certain managed services.

It says the operator developed a database for Dis-Chem, which contained certain categories of personal information necessary for the services offered by Dis-Chem.

“Our investigation has revealed that the incident affected a total of 3 687 881 data subjects and that the following personal information was accessed – first name and surname, e-mail address and cellphone number.”

According to the company, based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, e-mail compromises, social engineering and/or impersonation attempts.

For example, it cautions, it may be cross-referenced with information compromised in other third-party cyber incidents, for the further perpetration of crime against data subjects.

While investigations into the incident are still ongoing, Dis-Chem says the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database.

These safeguards include, but are not limited to, enhanced access management protocols to the database, it adds.

“We are not aware of any actual misuse or publication of personal information from the personal information that may have been acquired. We are, however, continuing, with the assistance of external specialists, to undertake web monitoring (including the dark web) for any publication of personal information relating to the incident.”

The retailer recommends that the affected data subjects remain vigilant and should be cognisant of the following security best practices:

• Do not click on any suspicious links.

• Refrain from disclosing any passwords or PINs via e-mail, text or even social media platforms.

• Change passwords often and ensure there is complexity in the configuration (ie, with the use of special characters).

• Ensure regular anti-virus and malware scans are performed on any electronic devices and check software is up to date.

• Only provide personal information when there is a legitimate reason to do so.

South African organisations are increasingly being targeted by cyber criminals. For example, in September, over a million South African citizens potentially had their personal data exposed after a ransomware attack at debt recovery services firm Debt-IN Consultants. Most local banks make use of Debt-IN Consultants’ services.

In August, credit bureau Experian suffered a breach of data, which exposed some personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.

The Information Regulator, in October, expressed shock that Experian customer data was recently leaked on Telegram, in what appears to be a continuation of the data breach the credit bureau experienced last year.

Also last year, big-four bank Absa suffered a data leak, which exposed customer data to external parties.

Ransomware attacks have also become common in SA, with organisations like Transnet, the justice department and the South African National Space Agency recently falling victim.

The Information Regulator, which enforces POPIA, has from time to time said it is concerned about the high number of security breaches in SA.