Proudly sponsored by

Dis-Chem flags data hack affecting over 3.6m customers

The retailer says it is still investigating the incident and has deployed additional safeguards in the meantime.
The group did not mention the third-party service provider that was hit by the cyber attack. Image: Daniel Acker/Bloomberg

*This article has been corrected: it originally stated that N4aughtysecTU accessed the information of at least 54 million TransUnion clients, when in fact it was records unrelated to TransUnion from prior data breaches. We apologise for the error.


JSE-listed pharmacy retail and healthcare group Dis-Chem has issued a notice on its website alerting customers that one of its third-party service providers suffered a data compromise on Thursday April 28, affecting 3.68 million of its customers.

Dis-Chem says an investigation of the breach – which it became aware of on May 1 – revealed that hackers were able to gain access to the names, email addresses and cellphone numbers of the affected customers.

Read: SA businesses are actively improving their cybersecurity – study

“Upon being made aware of the incident, we immediately commenced an investigation into the matter and to ensure that the appropriate steps were taken to prevent any further incidents,” the group points out.

The retailer assured customers that there is currently no indication that their information has been published or used by the hackers. However, it did also warn that this might not be the case for long.

“Based on the categories of personal information impacted, there is a possibility that any impacted personal information may be used by the unauthorised party to commit further criminal activities, such as phishing attacks, emails compromises, social engineering and/or impersonation attempts,” the notice reads.

Dis-Chem further noted that in such cases hackers can cross-reference the compromised information with data stolen in other cyber attacks, forming part of an elaborate criminal scheme.

In its notice the group did not mention the third-party service provider that was hit by the cyber attack.

TransUnion hack

In mid-March, TransUnion South Africa suffered a massive cyber attack, which saw a hacker group calling itself N4aughtysecTU accessing data (like credit scores, banking details and ID numbers) allegedly obtained from TransUnion and other sources, which the credit bureau says include “at least 54 million records unrelated to TransUnion from prior data breaches dating back to 2017”.

Read: Deadline passes for R220m extortion demand in TransUnion cyber attack

In this incident hackers demanded TransUnion to pay a $15 million ransom in bitcoin – about R220 million – to prevent the leaking of the sensitive information, however TransUnion refused to do so.

The newly established Information Regulator (South Africa) says while it is still investigating the cyber attack on TransUnion, attacks on personal information have been on the rise.

“Unfortunately, instances of data breaches are on the increase. With our enforcement powers having come into effect in July 2021 we remind the responsible parties of their obligation to report security compromises to the regulator,” Mukelani Dimba, head of education and communication at the watchdog, tells Moneyweb in a statement.

“Failure to do so is violation of the provisions of POPIA [Protection of Personal Information Act] and we will hold parties guilty of such a violation accountable for such non-compliance.”

Practice caution

Meanwhile, Dis-Chem says the affected third-party service provider has made of use of additional safeguards to strengthen security and prevent further breaches.

However, Dis-Chem cautions customers to remain cautious and recommends the following:

  • Do not click on any suspicious links.
  • Refrain from disclosing any passwords or PINs via email, text or social media platforms.
  • Change your passwords often and ensure there is complexity in the configuration (i.e. with the use of special characters).
  • Ensure regular anti-virus and malware scans are performed on any electronic devices and check software is up to date.
  • Only provide personal information when there is a legitimate reason to do so.

The group adds that it has employed the assistance of specialists who will monitor the web and dark web to detect the publication of the data stolen by the hackers.



You must be signed in and an Insider Gold subscriber to comment.


This and other data leaks is a reminder how important it is to limit who has what data about you. I will be going through bank statements and see who has debit orders, instruct them that I will pay annually in advance (for a discount) and demand they delete my personal data especially banking details.

They don’t like it, tough : I will change provider. That recent credit record company that leaked data contacted me to offer security checking after they leaked my data. I have no debt data with them – they have no business keeping any data about me in any form at all.

We do have privacy rights, including compelling companies to scrub personal data that they have absolutely no reason to have. Same with this new thing coming that mobile companies must keep biometric data. Stuff that, they can interface to my iphone biometric API. Not even Apple has that data. No cellular company has any business storing any part of my biometric data.

End of comments.




Instrument Details  

You do not have any portfolios, please create one here.
You do not have an alert portfolio, please create one here.

Follow us:

Search Articles:
Click a Company: