![]() |
Enforcement Notice issued to Dis-Chem due to contravention of PoPIAOn 31 August 2023, the Information Regulator (Regulator) issued an Enforcement Notice to the Dis-Chem Pharmacies Ltd (Dis-Chem) following the finding of the contravention of various sections of the Protection of Personal Information Act (PoPIA). ![]() Photo by Pixabay via www.pexels.com Around April and May 2022 Dis-Chem’s third-party service provider, Grapevine, suffered a brute force attack by an unauthorised party. A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found. On 1 May 2022 Dis-Chem became aware of the security compromise, or data breach, through SMSs sent to some of its employees, and on 5 May 2022, Dis-Chem then notified the Regulator in writing of this security compromise. Approximately 3.6 million data subjects’ records were accessed from Dis-Chem’s e-Statement Service database which was managed by Grapevine. The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects (the individuals to whom the personal information relates). The Regulator then conducted an own initiative assessment into the security compromise following Dis-Chem’s failure to notify data subjects as required by section 22 of PoPIA. Following the assessment, the Regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information. The Regulator’s assessment found that Dis-Chem failed to:
Accordingly, the Enforcement Notice issued by the Regulator orders Dis-Chem to, among others:
Dis-Chem must provide a report to the Regulator on the implementation of the actions ordered in the Enforcement Notice within thirty-one (31) days of the issuing and receipt. Should Dis-Chem fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offence, on which the Regulator may impose an administrative fine of an amount not exceeding R10 million or be liable upon conviction to imprisonment or both. |