We've got news for you.

Register on BusinessLIVE at no cost to receive newsletters, read exclusive articles & more.
Register now
Dis-Chem. File picture: FREDDY MAVUNDA.
Dis-Chem. File picture: FREDDY MAVUNDA.

Dis-Chem has confirmed an “unauthorised party” gained access to a database containing the personal information of more than 3.6-million people, which could be used for criminal activities, such as phishing attacks.

The information includes first names and surnames, email addresses and cellphone numbers.

“After investigating a suspected data compromise suffered by one of our third party service providers and operators, we hereby confirm ... that certain personal information was accessed by an unauthorised person on or about April 28,” the pharmacy retailer said in a statement.

Dis-Chem said the data breach was brought to its attention on May 1. “We immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents.”

The retailer explained it had contracted a third-party service provider and operator for “certain managed services”. The operator then developed a database for Dis-Chem, which contained categories of personal information necessary for the services offered by Dis-Chem.

“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents. Our investigation has revealed that the incident affected a total of 3,687,881 data subjects.” Names, email addresses and cellphone numbers were compromised.

“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. We stress that no identification numbers, medical, financial or banking information was contained in this database. However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”

However, the retailer cautioned: “Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts. For example, it may be cross-referenced with information compromised in other third party cyber incidents, for the further perpetration of crime against data subjects.”

“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database. These safeguards include, but are not limited to, enhanced access management protocols to the database,” said the retailer.

“We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are, however, continuing, with the assistance of external specialists, to undertake web monitoring [including the dark web] for any publication of personal information relating to the incident.”



Would you like to comment on this article or view other readers' comments?
Register (it’s quick and free) or sign in now.

Speech Bubbles

Please read our Comment Policy before commenting.