Dis-Chem data breach: What could crooks do with your leaked information?

12 May 2022 - 15:24
By Shonisani Tshikalange
Dis-Chem said the data breach was brought to its attention on May 1. File photo.
Image: FREDDY MAVUNDA Dis-Chem said the data breach was brought to its attention on May 1. File photo.

The names, e-mail addresses and phone numbers accessed by an “unauthorised party” from a Dis-Chem service provider could potentially be used by criminals to try to hoodwink consumers into parting with more sensitive personal information.

Those affected by the breach — about 3.6-million people — could see a potential increase in spam e-mails and spam calls. But on its own, criminals won’t be able to do too much with the compromised data, say experts.

Southern African Fraud Prevention Service (SAFPS) CEO Manie van Schalkwyk said criminals could try to leverage the information to gain access to more sensitive consumer data.

“If you look at those data elements, in itself they really can’t do much. The modus operandi is that they will contact the consumers, either on e-mail or phone, and it will look like they are coming from the bank,” said Van Schalkwyk.

“And then they will, for instance, say to the consumer, 'we are phoning from the bank and there is a big debit order on your account that needs to go off, should we stop it for you?' And of course, people will say yes.

“And then they will try to provide the consumer with information to make them feel at ease that these people are phoning from the bank. And that is when they use the information that they have stolen — they provide information to you so you feel more comfortable.

“Then they will ask questions to say, 'just verify your bank account details' and they use tricks like, 'my system just went down, please give me your PIN, I know I shouldn’t ask but the moment my system comes back I will then help you to stop the debit order'.”

Van Schalkwyk said another modus operandi could be to use the information in e-mail and SMS campaigns asking the targeted person to click on a link.

“My advice to consumers is that when they get these e-mails, SMSes or calls, ignore them. Phone the bank on the telephone number you have to find out what is going on,” he said.

Cybersecurity expert, co-founder and CEO of GoldPhish Dan Thornton said other than a potential increase in spam e-mails and spam calls, the breach — as reported — did not place the data of subjects at major increased risk from cybercriminals.

“It's never great for the data subjects or a company’s reputation when a data breach involves personal information being lost to attackers. However, it seems the data set in the case of this Dis-Chem breach is fairly limited,” said Thornton.

Vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain, causing damage and disruption
Dan Thornton, GoldPhish CEO

“Now if the breached data set had included plain text passwords [not encrypted], financial data or sensitive personal medical data on the subjects, the breach implications on consumers would be very different. This type of data is extremely valuable on the dark web, where attackers can sell it on to criminal networks who will, in turn, use the data to launch targeted social engineering scams and extortion attacks against the subjects.”

He said the latest incident was a clear case of a supply-chain cybersecurity attack.

“Most organisations rely on suppliers to deliver products, systems and services. Gone are the days where businesses are hosting and managing absolutely everything, including an on-premise server room. These are generally being outsourced to hi-tech companies.

“But supply chains can be large and complex, involving many suppliers to fulfil various functions. Securing the supply chain can be challenging for businesses because vulnerabilities can be inherent, or introduced and exploited at any point in the supply chain, causing damage and disruption,” he added.

Thornton said businesses had to treat their data with more care by implementing more stringent controls such as:  

  • understanding exactly what data the company holds and where it is;
  • identifying what sensitive data is held (passwords, financial, medical, business sensitive) and ask: “Do we absolutely need to be holding that?”;
  • identifying every person with access to the sensitive information and justifying why they need it;
  • protecting access through technical controls and multi-factor authentication; and
  • training employees to understand the value of protecting data so they can support all the steps mentioned and act as a valuable cog in the cybersecurity machine. 


Support independent journalism by subscribing to the Sunday Times. Just R20 for the first month.