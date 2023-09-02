By Witness Reporter

The Information Regulator has issued an enforcement notice to Dis-Chem Pharmacies Ltd after hackers retrieved millions of customers’ personal data.

The regulator found that the pharmacy company was in contravention of various sections of the Protection of Personal Information Act (Popia).

It said in a statement that around April and May 2022, Dis-Chem’s third-party service provider, Grapevine, suffered a brute force attack by an unauthorised party.

A brute force attack is aimed at cracking a password by continuously trying different combinations until the right character combination is found.

ALSO READ | Dis-Chem vaccination sites to open for longer hours on Saturdays

According to the regulator, on May 1, 2022 Dis-Chem became aware of the security compromise, or data breach, through SMSs sent to some of its employees, and on May 5, 2022, Dis-Chem then notified the regulator in writing of this security compromise.

Approximately 3,6 million data subjects’ records were accessed from Dis-Chem’s e-statement service database which was managed by Grapevine

The regulator said it then conducted its own assessment into the security compromise following Dis-Chem’s failure to notify data subjects as required by Popia.

Following the assessment, the regulator determined that Dis-Chem had interfered with the protection of personal information of the data subjects, and thus breached the conditions for the lawful processing of personal information.

The enforcement notice issued by the regulator orders Dis-Chem to take certain actions and to provide a report to the regulator on the implementation of the actions ordered in the enforcement notice within 31 days of the issuing and receipt.