Local retailer Naivas is staring at up to Sh5 million fine or a shut down if the investigations by the Office of the Data Protection Commissioner prove that the supermarkets is culpable for data breach.
The ODPC said that investigations are on going to establish what led to the breach and a detailed report will be released in three weeks.
According to data Commissioner Immaculate Kassait, if Naivas is found guilty, it will have to pay Sh5 million in fines or one percent of its last financial year’s profit, whichever is lower.
The supermarket chain made a profit of Sh2.1 billion in the nine months ended March, 2023, essentially meaning if it is to be fined one percent it will have to part with Sh21 million.
The investigations are aimed at establishing the extent of culpability on Naivas Company Limited in the data breach and outlining the specific actions taken by the Office of the Data Protection Commissioner (ODPC) to call the supermarket chain to account.
ODPC says that the office observed that the breach was not reported within the statutory 72-hour period, and Naivas was unable to definitively determine the exfiltrated personal data.
Submissions before the senate committee on ICT show that the reported data breach at Naivas resulted in the exfiltration of 611GB of personal data.
Most affected was the customer loyalty program information in which names, phone numbers, email addresses, and loyalty points, were exposed.
However, ODPC noted that there is no information provided that suggests that customer-purchasing patterns were part of the compromised data or that the information was exposed to the public.
While faulting the measures put in place by Naivas, Data Commissioner Immaculate Kassait said that the office noted that there were inadequate measures to safeguard data whilst in storage.
“The Office has initiated a post-breach audit and inspection to fully understand the circumstances of the breach and the culpability of the supermarket chain," she told the committee.
Kasait said action would be taken in accordance with Section 43 of the Data Protection Act, 2019, and the relevant regulations to hold the organisation accountable while assisting in recovery.
She said apart from the fine, regulations in the Data Protection Act, give the provision to shut down a firm if it contravenes the regulations.
The preliminary forensic investigation report submitted to the ODPC identified that the breach resulted from a ransomware attack by Alpha Spider.
Kassait said her office has reviewed the measures taken by Naivas to respond to the breach.
She said Naivas has expressed intentions to put additional measures in place post-breach.
Naivas said it had put in place necessary policies, access controls, logging and monitoring procedures, and data backups on both online and offline servers in addition to other privacy enhancing safeguards, including encryption of data both in transit and at rest.
Naivas through their legal manager noted that the breach happened in March 2, 2023 and it was not aware of the personal data that that had been exfiltrated by then.
“Accordingly as a result of the insufficient knowledge or insights into the attack, we were required to undertake a thorough investigation in order to establish whether or not a personal data breach had in fact occurred,” Naivas Legal Manager Jean Wambui told the committee through a letter dated May 10.
Kassait added that while immediate measures have been implemented, a further detailed inspection and audit is being undertaken to confirm the current safety of customer, supplier and employee data held by Naivas.
Naivas will appear before the committee on October 3.
