Naivas faces Sh5 million fine for failing to report data theft on time

Local retail giant Naivas Supermarket broke the law by failing to report the theft of customer data within 72 hours as required by law and could face a Sh5 million fine, a Senate committee has heard.

Appearing before the Senate ICT Committee, Data Commissioner Immaculate Kassait said the supermarket chain did not follow the law in reporting the ransomware attack that occurred in April this year.

Ms Kassait said the data breach resulted in the unauthorised transfer of 611GB of personal data, with significant exposure of customer loyalty programme information, including names, phone numbers, email addresses and loyalty points.

However, she said the breach was not reported within the statutory 72-hour period and Naivas was unable to conclusively determine the unauthorised transfer of personal information.

This was in breach of Section 43 of the Data Protection Act 2019 and Regulation 38 (1) of the Data Protection (General) Regulations 2021, which relate to the reporting of data breaches.

Section 43 requires data controllers to notify the Office of the Data Protection Commissioner (ODPC) in the event of a data breach, and also to notify the data subject if the data accessed is personally identifiable.

"In addition, the Office finds that there were inadequate measures in place to protect the data during storage," Ms Kassait said.

However, she said there was no information to suggest that customer purchasing patterns were part of the compromised data or that the information had been exposed to the public.

In April, Naivas chief commercial officer Willy Kimani revealed that the retail giant had suffered a ransomware attack that compromised some of its data.

The attack, one of the largest thefts of customer data in the country, breached the retail giant's servers and systems, exposing private information including invoices, contracts and customer details to possible manipulation by unknown actors.

Ms Kassait told the committee, chaired by Trans Nzoia Senator Allan Chesang', that her office had initiated a post-breach audit and inspection to fully understand the circumstances of the breach and the culpability of the supermarket chain.

At the end of the audit process, she said action will be taken in accordance with Section 43 of the Data Protection Act, 2019 and relevant regulations to hold the organisation accountable while assisting with recovery.

"We have initiated an audit and inspection of the organisation to determine the extent of the organisation's recovery, the impact of the breach and to ensure that any adverse impact on data subjects is mitigated," she said.

The DPC said they are in the process of finalising the audit process and are just waiting for a response from the retailer, adding that the audit report will be out in the next four weeks.

"We have already prepared a preliminary report and once we have completed the process, we will make it available. The report will answer the administrative action to be taken as well as the action to be taken against Naivas," she said.

Ms Kassait told the committee that Naivas has taken some steps to respond to the breach, including isolating affected systems, engaging third-party forensic experts and implementing endpoint protection.

She added that Naivas had expressed its intention to take additional measures following the breach, in particular to implement the necessary policies, access controls, logging and monitoring procedures, and data backups on both online and offline servers, in addition to other data protection safeguards, including encryption of data both in transit and at rest.

In addition, Ms Kassait said the retail giant had informed them that it had provided cybersecurity awareness training to its staff.

"The Office is working closely with the company to ensure that these measures are effectively implemented to protect the right to privacy of the individuals involved and to prevent future incidents," she said.