Retail chain store Naivas could face a Sh 5 million fine for failing to report a ransomware attack that happened in April this year on time.
Section 43 of the Data Protection Act 2019 requires data controllers to give notice to the Office of the Data Protection Commissioner (ODPC) in the event of a data breach and to further give notice to the data subject if the data accessed is person identifying.
Data Commissioner Immaculate Kassait faulted Naivas for failing to report the matter within 72 hours as required by the law, adding that action against the firm will be taken in accordance with the law.
Kassait was speaking before the Senate ICT Committee, which heard that the data breach resulted in the unauthorized transfer of 611 GB of personal data from customer loyalty program information, including names, phone numbers, and email addresses, among others.
In April, Naivas, in a statement signed by its Chief Commercial Officer Willy Kimani, confirmed it had been hit by a ransomware attack which compromised some of its data.
Naivas siblings take Sh. 5.8 billion nasty fight to court
While the hackers threatened to leak the data online in the future, Kimani assured customers of the safety of their credit or debit card information, as the supermarket does not store such information in its systems.
“At this moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempts (by phone, SMS or email) as well as to the sucient security of passwords,” Kimani stated, adding that the office of Data Protection was handling the matter.
Kassait said the breach was, however, not reported within the statutory 72-hour period, and Naivas was unable to determine any data theft.
She said action will be taken in accordance with the law after an audit on the circumstances of the breach is finalized.
”We have already prepared a preliminary report, and once we have completed the process, we will make it available. The report will answer the administrative action to be taken as well as the action to be taken against Naivas,’’ She said.
Kassait observed that Naivas has taken some steps to prevent future similar occurrences. Among the measures include the isolation of affected systems, engaging third-party forensic experts, and implementing endpoint protection.
