Dis-Chem hit by data breach: personal information of 3.6-million people accessed
Dis-Chem has confirmed an “unauthorised party” gained access to a database containing the personal information of more than 3.6-million people which could be used for criminal activities, such as phishing attacks.
The information includes first names and surnames, e-mail addresses and cellphone numbers.
“After investigating a suspected data compromise suffered by one of our third party service providers and operators, we hereby confirm ... that certain personal information was accessed by an unauthorised person on or about April 28,” the pharmacy retailer said in a statement.
Dis-Chem said the data breach was brought to its attention on May 1. “We immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents.”
The retailer explained it had contracted a third party service provider and operator for “certain managed services”. The operator then developed a database for Dis-Chem which contained categories of personal information necessary for the services offered by Dis-Chem.
“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents. Our investigation has revealed that the incident affected a total of 3,687,881 data subjects.”
Names, e-mail addresses and cellphone numbers were compromised.
“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. We stress that no identification numbers, medical, financial or banking information was contained in this database. However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”
However, the retailer cautioned: “Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, e-mails compromises, social engineering and/or impersonation attempts. For example, it may be cross-referenced with information compromised in other third party cyber incidents, for the further perpetration of crime against data subjects.”
Dis-Chem recommends those who may be affected by the breach:
- Do not click on any suspicious links.
- Refrain from disclosing any passwords or PINs via e-mail, text or social media platforms.
- Change your passwords often and ensure there is complexity in the configuration (with the use of special characters).
- Ensure regular antivirus and malware scans are performed on any electronic devices and check software is up to date.
- Only provide personal information when there is a legitimate reason to do so.
“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database. These safeguards include, but are not limited to, enhanced access management protocols to the database,” said the retailer.
“We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are however continuing, with the assistance of external specialists, to undertake web monitoring [including the dark web] for any publication of personal information relating to the incident.”
Support independent journalism by subscribing to the Sunday Times. Just R20 for the first month.