NOTIFICATION OF SECURITY COMPROMISE IN TERMS OF SECTION 22 OF THE PROTECTION OF PERSONAL INFORMATION ACT, 4 OF 2013
Dis-Chem Pharmacies Limited (“Dis-Chem” / “our” / “we”) provides this notification of a personal information security compromise in terms of section 22 of the Protection of Personal Information Act, 4 of 2013 (“POPI”).
After investigating a suspected data compromise suffered by one of our third party service providers and operators, we hereby confirm and notify you in terms of section 22 of POPI, that certain personal information was accessed by an unauthorised person (“the unauthorised party”) on or about 28 April 2022 (“the incident”).
We have since taken the necessary measures in conjunction with our operator to determine the scope of the compromise and to restore the integrity of our operator’s information system.
Please note there is currently no indication that any personal information has been published or misused as a result of the incident. We stress that no identification numbers, medical, financial or banking information was contained in this database. However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.
Overview of the incident
Dis-Chem has contracted with a third party service provider and operator for certain managed services. In these circumstances the operator developed a database for Dis-Chem which contained certain categories of personal information necessary for the services offered by Dis-Chem.
It was brought to our attention on 1 May 2022, that an unauthorised party had managed to gain access to the contents of the database. Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents.
Information that was impacted and the possible consequences to affected data subjects
Our investigation has revealed that the incident affected a total of 3 687 881 data subjects and that the following personal information was accessed –
- first name and surname;
- email address; and
- cell phone number.
Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts. For example, it may be cross-referenced with information compromised in other third party cyber incidents, for the further perpetration of crime against data subjects.
We recommend that affected data subjects remain vigilant and should be cognisant of the following security best practices:
- Do not click on any suspicious links.
- Refrain from disclosing any passwords or PINs via email, text or even social media platforms.
- Change your passwords often and ensure there is complexity in the configuration (i.e. with the use of special characters).
- Ensure regular anti-virus and malware scans are performed on any electronic devices and check software is up to date.
- Only provide personal information when there is a legitimate reason to do so.
Remedial action taken
Whilst investigations into the incident are still on-going, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database. These safeguards include, but are not limited to, enhanced access management protocols to the database.
We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are however continuing, with the assistance of external specialists, to undertake web monitoring (including the dark web) for any publication of personal information relating to the incident.
For more information
If you have questions or concerns, please contact us at [email protected].
Please know we take this incident very seriously and have been working diligently to investigate and respond.
We sincerely regret that this incident has arisen as a result of unlawful misconduct by a third party, and we remain committed to safeguarding the information in our care.