POPIA: Enforcement Notice issued to Dis-Chem

POPIA: Enforcement Notice issued to Dis-Chem logo

Around April and May 2022 Dis-Chem’s third-party service provider, Grapevine, suffered a brute force attack by an unauthorised party. A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found. On 1 May 2022 Dis-Chem became aware of the security compromise, or data breach, through SMSs sent to some of its employees, and on 5 May 2022, Dis-Chem then notified the Regulator in writing of this security compromise. 

Approximately 3.6 million data subjects’ records were accessed from Dis-Chem’s e-Statement Service database which was managed by Grapevine. The affected records in this database were limited to names and surnames, e-mail addresses, and cellphone numbers of the data subjects (the individuals to whom the personal information relates). 

The Regulator then conducted its own initiative assessment into the security compromise following Dis-Chem’s failure to notify data subjects as required by section 22 of POPIA. Following the assessment, the Regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.

The Regulator’s assessment found that Dis-Chem failed to:

  • identify the risk of using weak passwords and prevent the usage of such passwords.

  • put in place adequate measures to monitor and detect unlawful access to their environment.

  • enter into an operator agreement with Grapevine and ensure that Grapevine has adequate security measures in place to secure personal information in its possession.

Furthermore, the agreement would have outlined processes of reporting to Dis-Chem in the event of a security compromise.

Dis-Chem must provide a report to the Regulator on the implementation of the actions ordered in the Enforcement Notice within thirty-one (31) days of the issuing and receipt. Should Dis-Chem fail to abide by the Enforcement Notice within the stipulated timeframe, it will be guilty of an offense, on which the Regulator may impose an administrative fine of an amount not exceeding R10 million or be liable upon conviction to imprisonment or both.

Click here to download the Media Release:

https://inforegulator.org.za/wp-content/uploads/2020/07/FINAL-MEDIA-STATEMENT-ENFORCEMENT-NOTICE-ISSUED-TO-DISCHEM-PHARMACIES-LTD.pdf

Relevance to Auditors, Independent Reviewers & Accountants:

  • POPIA is an important piece of legislation that your clients must comply with, and which you must assess compliance with.  If they don’t comply with the relevant laws and regulations, you have certain reporting obligations in terms of NOCLAR (NOn-Compliance with Laws And Regulations) – this could include reporting to management, qualifying your audit opinion, reporting a Reportable Irregularity, etc.

  • As an auditor, independent reviewer and accountant, you also need to be aware of media statements, enforcement notices, etc. that have been issued by the Information Regulator and its Enforcement Committee.

Relevance to Your Clients:

  • An entity (company or close corporation) should be aware of media statements, enforcement notices, etc. that have been issued by the Information Regulator and its Enforcement Committee.

There are not comments for this article at the moment, check back later.
You must be logged in to add a comment, log in now.
Need Help ?

Explore Smarty