| Authority: | Regulator - SA |
|---|---|
| Jurisdiction: | South Africa |
| Relevant law: | Section 4 (1)(a) of Promotion of Access to Information Act 2 of 2000 |
| Type: | Violation |
| Outcome: | Violation |
| Started: | N/A |
| Decided: | 31 August 2023 |
| Published: | 1 September 2023 |
| Fine: | N/A |
| Parties: | Regulator vs. Dis-Chem Pharmacies Ltd |
| Case No.: | N/A |
| Appeal: | N/A |
| Original Source: | PAIA |
| Original contributor: | MZIZI Africa |
Contents
The Respondent was ordered to take remedial action to address a hack that led to the personal data of 3.6 million customers being breached in 2022, or face a fine of up to R10 million, imprisonment, or both.
This was an own initiative investigation in terms of section 76 (3) of the Protection of Personal Information Act 4 of 2013 (POPIA) by the Regulator against Dis-Chem Pharmacies Ltd (the “Respondent”).
Around April and May 2022 the Respondent’s third-party service provider, Grapevine, suffered a brute force attack by an unauthorised party. A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found.
On 1 May 2022 the Respondent became aware of the security compromise, or data breach, through SMSs sent to some of its employees, and on 5 May 2022, the Respondent then notified the Regulator in writing of this security compromise. Approximately 3.6 million data subjects’ records were accessed from the Respondent's e-Statement Service database which was managed by Grapevine. The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects (the individuals to whom the personal information relates).
The Regulator found that the Respondent contravened various sections of the Protection of Personal Information Act (POPIA) by failing to:
The Regulator issued an Enforcement Notice to the Respondent by which it ordered the Respondent to: