Naivas Limited, a local supermarket chain, has come under scrutiny for failing to adhere to data protection regulations by not reporting a customer data theft within the required 72-hour timeframe. The Senate ICT committee revealed the breach during its hearing on Tuesday (September 19, 2023).
Data Commissioner Immaculate Kassait testified before the committee, explaining that Naivas did not follow the legal reporting procedure following a ransomware attack that occurred in April of this year.
According to Kassait, the data breach resulted in the unauthorized transfer of 611 gigabytes of personal data, including customer loyalty program information such as names, phone numbers, email addresses, and loyalty points. The breach exposed a significant amount of personal information.
Kassait highlighted that Naivas failed to report the breach within the statutory 72-hour period, as required by Section 43 of the Data Protection Act, 2019, and Regulation 38(1) of the Data Protection (General) Regulations 2021 concerning the reporting of data breaches.
Section 43 mandates data controllers to promptly inform the Office of the Data Protection Commissioner (ODPC) in the event of a data breach. Moreover, if the accessed data contains personally identifiable information, they are also required to inform the data subjects affected.
Kassait added, “Moreover, the office notes that there were inadequate measures to safeguard data while in storage.”
In April, Naivas’ Chief Commercial Officer, Willy Kimani, revealed that the retail giant had experienced a ransomware attack that compromised some of its data.
Kassait informed the committee that her office has initiated a post-breach audit to thoroughly investigate the breach’s circumstances and determine the extent of Naivas’ responsibility in this matter. If found guilty of breaching data protection regulations, Naivas may face a fine of up to Sh5 million.
Comments