The retail pharmacy said in a statement that it has contracted with a third-party service provider and operator for certain managed services.
“In these circumstances the operator developed a database for Dis-Chem which contained certain categories of personal information necessary for the services offered by Dis-Chem.
“It was brought to our attention on 1 May 2022, that an unauthorised party had managed to gain access to the contents of the database. Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents,” Dis-Chem said.
A total of 3,687,881 data subjects have been affected. The following personal information was accessed –
Dis-Chem warns that there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, email compromises, social engineering and/or impersonation attempts. For example, it may be cross-referenced with information compromised in other third-party cyber incidents, for the further perpetration of crime against data subjects.
“Whilst investigations into the incident are still ongoing, the operator has confirmed it has deployed additional safeguards in order to ensure protection and security of information on the database. These safeguards include, but are not limited to, enhanced access management protocols to the database.
“We are not aware of any actual misuse or publication of personal information from the personal information that may been acquired. We are however continuing, with the assistance of external specialists, to undertake web monitoring (including the dark web) for any publication of personal information relating to the incident,” Dis-Chem said.