Pam Golding data breach incident a reminder of notification duties in South Africa

The security incident took place on 7 March, when an unauthorised third party gained access to Pam Golding’s customer relationship management system. Pam Golding’s notification says that it took immediate action to secure its systems, remove unauthorised access, and notify affected persons in accordance with South Africa’s Protection of Personal Information Act (POPIA).

Data privacy expert Mark Thomas of Pinsent Masons said: “Although the notification indicates that no banking details, financial information or other documents were compromised, the notice does state that a customer relationship management system hosted on servers in South Africa had been compromised, which may have resulted in unauthorised access to personal information.”

POPIA imposes a legal obligation on responsible parties to notify the South African Information Regulator, and the data subject, where “there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”.

Under the data protection law, “personal information” is information relating to a natural person and, in some cases, companies, including but not limited to identity numbers, email addresses, physical addresses, telephone numbers, and names.

According to Thomas, the notification must be made as soon as reasonably possible after the discovery of the security compromise. A notification to the data subject can only be delayed if the notification might impede a criminal investigation. “The purpose of the notification is to provide the data subject with sufficient information to allow the data subject to take protective measures against the potential consequences of the compromise,” he said.

In the email communication Pam Golding sent out to affected individuals, it emphasised its commitment to data protection and its obligations under POPIA, and set out seven steps it intends to take to contain the incident and prevent any further recurrence. While the company is still investigating the incident, it has informed the affected data subjects of the potential risks, such as potential identity fraud by cybercriminals, and provided advice on how to protect themselves against these potential frauds.

Regulatory expert Andrew Attieh of Pinsent Masons said: “Simply because you receive a notification, it is not necessarily a cause for alarm. The fact that you have received a notification means that the notifying party is doing so in compliance with their legal obligations in terms of POPIA, and is a responsible action to take”

However, with cybercrime becoming a growing threat throughout the world, Attieh said, affected clients need to take proactive steps to protect themselves against identity theft and fraud and stay alert against any suspicious calls, texts or emails that could be a scam.

For example, if an individual receives any suspicious messages or calls, it is important not to hand over any sensitive information such as bank account details or user login passwords. It is also prudent to check that links look correct before clicking on them, while looking out for signs of a phishing scam, such as emails containing spelling mistakes. Installing the latest security updates is another important step to protect against potential cybercrimes.