3.7 million client records compromised in Dis-Chem data ‘incident’
JSE-listed Dis-Chem Pharmacies has disclosed that a data “incident” involving a “third-party service provider or operator” has led to the compromise of millions of client records containing personal information.
It has not named the third party, but said in a holding statement sent to TechCentral that the company in question had suffered a “suspected cyberattack”. It said no sensitive medical, financial or banking information was contained in the database and that it “immediately took necessary action” and “all possible steps have been taken to isolate the threat”.
Dis-Chem revealed the incident in a notification published on its website in terms of section 22 of the Protection of Personal Information Act.
The incident affects almost 3.7 million Dis-Chem customers, with the following information compromised:
- First names and surnames
- E-mail addresses
- Cellphone numbers
“Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, e-mail compromises, social engineering and/or impersonation attempts,” Dis-Chem said.
“For example, it may be cross-referenced with information compromised in other third-party cyber incidents for the further perpetration of crime against data subjects,” it said.
“Certain personal information was accessed by an unauthorised person on or about 28 April 2022,” the pharmacy group said in the notification. “We have since taken the necessary measures in conjunction with our operator to determine the scope of the compromise and to restore the integrity of our operator’s information system.”
It said there is “currently no indication that any personal information has been published or misused as a result of the incident”.
“However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”
Dis-Chem said it hired the unnamed service provider for “certain managed services”. This third party developed a database for Dis-Chem that contained “certain categories of personal information necessary for the services offered by Dis-Chem”.
“It was brought to our attention on 1 May 2022 that an unauthorised party had managed to gain access to the contents of the database. Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents.”
Dis-Chem said its third-party service provider has deployed “additional safeguards” to ensure protection and security of information on the database. “These safeguards include, but are not limited to, enhanced access management protocols to the database.
“We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are however continuing, with the assistance of external specialists, to undertake Web monitoring (including the dark Web) for any publication of personal information relating to the incident.”