Enforcement Notice Issued To Dis-Chem For Violating POPIA

On the 31st of August 2023, the Information Regulator took action by issuing an Enforcement Notice against Dis-Chem, due to their non-compliance with several provisions of the Protection of Personal Information Act (POPIA).

In the timeline of events, it was revealed that during the months of April and May in 2022, a brute force attack was launched against Grapevine, a third-party service provider engaged by Dis-Chem. A brute force attack involves repeated attempts to guess a password until the correct combination is discovered. It wasn’t until the 1st of May 2022 that Dis-Chem became aware of this security breach when certain employees received SMS notifications.

On the 5th of May 2022, Dis-Chem duly informed the Regulator in writing regarding this security breach.

This cyberattack led to unauthorised access to the e-Statement Service database, which was under the management of Grapevine, and resulted in the exposure of the personal information of approximately 3.6 million data subjects.

The compromised data included names, surnames, email addresses, and cellphone numbers of the affected individuals.

The Regulator initiated an assessment into this security breach after Dis-Chem failed to notify the data subjects as required by section 22 of POPIA. Subsequently, the Regulator concluded that Dis-Chem had violated the provisions of POPIA, thereby jeopardising the protection of the personal information of data subjects.

The Regulator’s assessment highlighted several shortcomings on the part of Dis-Chem:

1. Failure to identify the risk of weak passwords and take measures to prevent their use.
2. Inadequate monitoring and detection of unlawful access to their systems.
3. Absence of an operator agreement with Grapevine that ensured sufficient security measures were in place for safeguarding personal information, including procedures for reporting security breaches.

Consequently, the Enforcement Notice issued by the Regulator imposes specific obligations on Dis-Chem, including but not limited to:

1. Conducting a comprehensive Personal Information Impact Assessment to ensure compliance with the conditions for lawful processing of personal information, as mandated by Regulation 4(1)(b) of POPIA.
2. Developing and implementing a robust Incident Response Plan.
3. Adopting the Payment Card Industry Data Security Standards (PCIDSS), including maintaining a vulnerability management program, implementing stringent access control measures, and upholding an Information Security Policy.
4. Ensuring the establishment of written contracts with all operators entrusted with personal information processing on their behalf, which explicitly mandate the operators to maintain security measures in accordance with section 19 of POPIA.
5. Establishing, implementing, monitoring, and maintaining a comprehensive compliance framework, in line with Regulation 4(1)(a) of POPIA, which clearly outlines the reporting obligations of Dis-Chem and its operators under section 22 of POPIA.

Dis-Chem is required to submit a report to the Regulator outlining the steps taken to comply with the directives in the Enforcement Notice within a period of thirty-one (31) days from the date of issuance. Failure to adhere to the terms of the Enforcement Notice within the stipulated timeframe may result in Dis-Chem facing penalties, including administrative fines not exceeding R10 million or potential imprisonment upon conviction, or both, as determined by the Regulator.