Dis-Chem issues data breach warning
● South Africans learnt this week of yet another “compromise” of their personal information — almost 3.7-million Dis-Chem customers’ names, email addresses and cellphone numbers are in the hands of an “unauthorised party”.
In a notice posted on its website this week, the pharmaceutical giant said the unnamed service provider it contracts with “for certain managed services” had created a Dis-Chem database containing “certain” customer information, and an “unauthorised party” had managed to access it.
“No identification numbers, medical, financial or banking information was contained in this database,” Dis-Chem said.
But it diluted that reassurance by adding: “However, we cannot guarantee that this position will remain the same in future.”
On Twitter, Jacques Rentzke asked: “Why did Dis-Chem choose not to contact affected clients?”
Information Regulator spokesperson Nomzamo Zondi said the Protection of Personal Information Act does not compel companies to send personal notifications to consumers affected by a data breach.
Their notification options are mailing consumers at their last known physical address or alerting them via email; placing a notification in a prominent position on their company website; having the notification published in news media; or “as directed by the regulator”.
But armed with just a person’s name, cellphone number and email address, a fraudster can lure many victims into giving up additional personal information, said Dalene Deale, executive head of Secure Citizen, an organisation created in collaboration with South African Fraud Prevention Service (SAFPS) in response to the rapid growth of identity theft and online fraud.
“Fraudsters have the capability of calling 3.6-million people, advising them that they were unfortunately part of the hack that is now in the news. ‘But before we continue,’ they could say, ‘I need to confirm that I am speaking to the correct individual. Please confirm your ID number’.”
Or a fraudster could call one of those millions of people on their cellphones, asking if they could proactively prepare the prescription medicine due to be provided, Deale said. “They can then design a method to gain access to scheduled drugs, given that biometric verification doesn’t happen at the point of delivery.”
Commenting on the huge TransUnion data breach in March, SAFPS CEO Manie van Schalkwyk said every company holding consumers’ personal information is a potential target.
“Consumers desperately need an extra layer of protection on their identity against criminals who will turn their lives upside down without a second thought,” said Van Schalkwyk. “About 17-billion cyberattacks take place around the world every day, not all of them successful.”
Dis-Chem has offered “affected data subjects” the following advice:
“Do not click on any suspicious links; refrain from disclosing any passwords or PINs via email, text or social media platforms; change your passwords often and ensure they are complex; ensure regular antivirus and malware scans are performed on any electronic devices and check software is up to date.
“For extra protection,” advises Dis-Chem, “register for the SAFPS’s free Protective Registration.
In addition, TransUnion is offering an annual subscription of its TrueIdentity program for free. It provides credit monitoring, monthly credit reports and credit alerts via SMS or email.
That means if a fraudster tries to open an account in your name or apply for a loan, you’ll be alerted when the credit provider does a credit check.