6.7K exposed in Garmin SA hack, regulator seeks answers

Read time 3min 30sec
Advocate Pansy Tlakula, chairperson of the Information Regulator.
Advocate Pansy Tlakula, chairperson of the Information Regulator.

The Information Regulator is looking to take GPS and fitness accessory maker Garmin SA to task after it was hacked last week, leaving customers’ credit card information at the mercy of cyber criminals.

In a letter to its customers on Thursday, Garmin SA MD Jennifer van Niekerk said: “We recently discovered theft of customer data from orders placed through (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through our Web site.”

The company told ITWeb that it recently became aware of a theft of customer data as part of a criminal cyber attack that affected customers who placed an order through the online portal.

It notes this e-commerce site was operated by a third-party on behalf of Garmin SA.

“Promptly after learning of this incident, we immediately shut down the impacted system, began an investigation, and contacted the South African Information Regulator,” the company says.

“While Garmin does not store credit card information, the unauthorised party leveraged virtual skimming technology to capture customer details at the time of input, including credit card information.”

It explains the compromised data was limited to Garmin’s South African Web site which uses a separate e-commerce system operated by a third-party.

According to Garmin, this incident affected less than 6 700 customers in SA and does not affect customers who purchased from other Garmin Web sites in other regions.

“We take our obligation to safeguard personal data very seriously and regret any inconvenience this may have caused our customers. We are in communication with our South African customers who may have been affected by this issue and are working on safeguards to prevent future attacks.”

However, the Information Regulator says it has not been notified by Garmin SA of the alleged data breach in terms of Section 22 of the Protection of Personal Information Act (POPIA) No 4 of 2013.

Law firm Michalsons explains the Information Regulator is a new regulator that has been created by the POPI Act.

According to Michalsons, POPI gives the Information Regulator teeth – it has extensive powers to investigate and fine responsible parties. Data subjects will be able to complain to the Information Regulator and it will be able to take action on behalf of data subjects. It will regulate both POPIA and the Promotion of Access to Information Act. It reports to Parliament and is the South African equivalent of the Information Commissioner in the UK.

The office of the Information Regulator is made up of advocate Pansy Tlakula as the chairperson, and advocate Cordelia Stroom and Johannes Weapond as full-time members.

Weapond tells ITWeb the regulator is mindful of the fact that the sections which create compliance requirements are not yet operational.

As such, the regulator will encourage proactive compliance with POPIA by public and private bodies.

“The regulator undertakes to write to Garmin SA to obtain confirmation of the alleged breach, the extent of the data breach, date of the data breach and time of detection, number of affected customers as well as the interim measures that Garmin SA is putting in place to prevent a recurrence of the data breach,” says Weapond.

“Of importance would be to understand if any investigation is been currently undertaken by Garmin SA and any other matters connected to the alleged breach that SA Garmin would like to report to the Information Regulator.

“The Information Regulator is currently practising positive regulation, by encouraging proactive compliance by public and private bodies with the provisions of POPIA and where possible, we conduct awareness sessions, training and provide general guidance to data subjects as well as private and public bodies,” Weapond concludes.

See also