The retailer explained it had contracted a third party service provider and operator for “certain managed services”. The operator then developed a database for Dis-Chem which contained categories of personal information necessary for the services offered by Dis-Chem.
“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents. Our investigation has revealed that the incident affected a total of 3,687,881 data subjects.” Names, email addresses and cellphone numbers were compromised.
“Please note there is currently no indication that any personal information has been published or misused as a result of the incident. We stress that no identification numbers, medical, financial or banking information was contained in this database. However, we cannot guarantee that this position will remain the same in future. Therefore, out of an abundance of caution, we are providing information about the incident as well as the remedial action taken to mitigate against any further adverse consequences of the incident.”
However, the retailer cautioned: “Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts. For example, it may be cross-referenced with information compromised in other third party cyber incidents, for the further perpetration of crime against data subjects.”
Dis-Chem recommends those who may be affected by the breach:
- Do not click on any suspicious links.
- Refrain from disclosing any passwords or PINs via email, text or social media platforms.
- Change your passwords often and ensure there is complexity in the configuration (with the use of special characters).
- Ensure regular antivirus and malware scans are performed on any electronic devices and check software is up to date.
- Only provide personal information when there is a legitimate reason to do so.
“While investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database. These safeguards include, but are not limited to, enhanced access management protocols to the database,” said the retailer.
“We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are however continuing, with the assistance of external specialists, to undertake web monitoring [including the dark web] for any publication of personal information relating to the incident.”