Cyber Incident Victim: Clicks

On May 31, 2023, the South African retail pharmacy company Clicks experienced a cyber security incident. The company became aware of the attack on that date and immediately invoked its standby cyber and IT protection protocols. The initial response involved deploying a security patch designed to limit further unauthorized access to customers' personal data. Following the discovery of the breach, Clicks reported the incident to the Information Regulator in compliance with South African data protection laws.

The investigation determined the incident was isolated and affected a very small portion of the customer base. The breach impacted approximately 0.05% of Clicks' pharmacy customers. The data that was accessed included customers' names, ID numbers, and contact details. Selected dispensary details relating to transactions that occurred in May at a small number of Clicks pharmacies were also accessed. Where healthcare information was involved, it mainly pertained to purchases of over-the-counter medications. Specific examples of the types of over-the-counter medications mentioned include Myprodol, Allergex, and Corenza-C. The company emphasized that in most cases where personal information was accessed, the data was incomplete. An example provided was a name with no accompanying contact details or a cellphone number without an associated name. The investigation confirmed that no customer passwords or banking information were accessed during this incident.

As part of its response, Clicks undertook an investigation into the breach and initiated direct contact with the affected customers. The purpose of this contact was to advise them of the incident and to offer appropriate advice and support. The company stated that it maintains high IT security standards which are continuously reviewed and updated to safeguard customer information. Following the deployment of the initial security patch, Clicks implemented additional safety measures to further protect customer data. Customers were advised to be cautious of individuals who might attempt to impersonate Clicks to obtain further information from them as a result of the breach.

The company provided specific steps for customers to protect themselves in the wake of the incident. These steps were based on the type of data known to be accessed. Customers were advised to be aware of emails and telephone calls from people requesting personal details, especially information used to verify identity such as date of birth, residential address, email address, username, or passwords. Though no financial data was compromised, customers who were concerned were advised to alert their financial institution and, where applicable, their medical aid scheme so these entities could implement additional monitoring and security protocols on their accounts. Customers were also instructed to closely monitor their medical aid statements for any unauthorized transactions and to report any suspicious activity immediately to their medical aid administrator. Furthermore, customers were directed to contact South Africa’s credit reporting agencies, TransUnion and Experian, to confirm if their identity had been used to obtain credit without their knowledge. For those receiving unwanted telemarketing calls, registering with the Direct Marketing Association of South Africa’s “Do Not Call register” was suggested. The company also recommended that any customer feeling uncomfortable about a request for information from someone claiming to be from Clicks should visit a physical store to speak to a pharmacist directly.

The incident highlighted the legal obligations of organizations in South Africa following a data breach. The Protection of Personal Information Act (POPI Act) imposes strict regulations on businesses that collect, use, store, or destroy personal information. Companies have an obligation to only collect information for a specific purpose, to ensure it is relevant and up to date, and to have reasonable security measures in place to protect it. They must only keep information for as long as necessary and must allow data subjects to access their information upon request. In the event of a breach, companies are required by law to inform the Information Regulator and the data subjects whose personal information was illegally accessed, provided such notification does not hamper the investigation. The breach at Clicks involved the type of personal information protected under this act, which includes contact information, demographic information, and opinions about a person. The incident served as a practical example of the application of these data protection laws and the required response protocols for a regulated entity. The company's public statements and actions, including notifying the regulator and affected individuals, were consistent with these legal requirements. The compromise of data such as ID numbers and dispensary details falls squarely within the scope of information that the POPI Act is designed to protect, making the breach a significant event in terms of compliance and data subject rights.