Dis-Chem, the South African second-largest retail pharmacy network has found itself in a data breach dilemma in which millions of its customers’ records were compromised.

“We have since taken the necessary measures in conjunction with our operator to determine the scope of the compromise and to restore the integrity of our operator’s information system.” Dis-Chem

According to a report released by dis-chem the data “incident” happened through one of their “third-party service providers and operators” (“the unauthorized party”) on or about 28 April 2022 (“the incident”) although the firm is yet to disclose the suspected party. 

They affirmed to their customers that the affected database contained no sensitive data such as medical, financial, or banking information and that it “immediately took necessary action” and ” all possible steps to isolate the threat.”

About Dis-Chem Data Breach

In accordance with Section 22 of the Personal Data Protection Act, Dis-Chem published a notification on their website about the occurrence.

The Unauthorized access to personal information occurred on or around April 28, 2022, the group reported. In collaboration with their operator, we’ve since taken steps to assess the damage and restore our operator’s information system’s integrity.

“It was brought to our attention on 1 May 2022, that an unauthorised party had managed to gain access to the contents of the database,” Dis-Chem said in a statement

 

Read Also : Google to Remove 900,000 Abandoned Apps from Play Store

 

“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents,” it added.

The investigation indicated that a total of 3 687 881 data subjects were affected by the incident and that the following individuals’ personal information was accessed:

  • first names and last names
  • Email address
  • mobile numbers

“Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts.”

“For example, it may be cross-referenced with information compromised in other third-party cyber incidents, for the further perpetuation of crime against data subjects.”

What Are The Consequences Of The Incident?

Since the data accessed doesn’t hold sensitive information, criminals won’t be able to do too much with the compromised data, say experts.

According to the Chief Executive Officer of the Southern African Fraud Prevention Service (SAFPS), Manie van Schalkwyk said in a statement that criminals could try to use the information as a stepping stone to acquire more sensitive consumer data.

“If you look at those data elements, in themselves itself they really can’t do much. The modus operandi is that they will contact the consumers, either by e-mail or phone, and it will look like they are coming from the bank,” said Van Schalkwyk.

“And then they will, for instance, say to the consumer, ‘we are phoning from the bank and there is a big debit order on your account that needs to go off, should we stop it for you?’ Of course, they will say yes.

 

Read Also : Cybersecurity Experts Discover Fake Windows 11 Upgrades

 

Moreover, “And then they will try to provide the consumer with information to make them feel at ease that these people are phoning from the bank. And that is when they use the information that they have stolen — they provide information to you so you feel more comfortable.

“Then they will ask questions to say, ‘just verify your bank account details and they use tricks like, ‘my system just went down, please give me your PIN, I know I shouldn’t ask but the moment my system comes back I will then help you to stop the debit order’.”

Observations

While Investigations into the incident are still ongoing, the third-party operator has deployed additional safeguards — including enhanced access management protocols — to secure the information on the database.

They have not been made aware of any actual misuse or dissemination of personal information that may have resulted from the acquisition of personal information.

“We are however continuing, with the assistance of external specialists, to undertake web monitoring (including the dark web) for any publication of personal information relating to the incident.”

How Can Customers Be Protected From Further Harm?

So that more damage doesn’t happen, they suggest that people whose data was stolen stay alert and know the following security best practices:

  • Do not click on any suspicious links.
  • Refrain from disclosing any passwords or PINs via email, text or even social media platforms.
  • Change your passwords often and ensure there is complexity in the configuration (i.e. with the use of special characters).
  • Ensure regular anti-virus and malware scans are performed on any electronic devices and check software is up to date.
  • Only provide personal information when there is a legitimate reason to do so.