Local supermarket chain Naivas Limited breached the law by failing to report theft of customer data within 72 hours as is required by law and could face a Sh5 million penalty, a Senate committee heard on Tuesday.
Appearing before the Senate ICT committee, Data Commissioner Immaculate Kassait said the supermarket chain did not follow the law in reporting the ransomware attack that happened in April this year.
Ms Kassait said the data breach resulted in the unauthorised transfer of 611 GB of personal data from customer loyalty programme information including names, phone numbers, email addresses, and loyalty points significantly exposed.
She said the breach was, however, not reported within the statutory 72-hour period, and Naivas was unable to definitively determine the unauthorised transfer of personal data.
This was in contravention of Section 43 of the Data Protection Act, 2019 and Regulation 38 (1) of the Data Protection (General) Regulations 2021 on report of data breaches.
Section 43 requires data controllers to give notice to the Office of the Data Protection Commissioner (ODPC) in the event of a data breach and to further give notice to the data subject if the data accessed is person-identifying. “Moreover, the office notes that there were inadequate measures to safeguard data whilst in storage,” said Ms Kassait.
In April, Naivas chief commercial officer Willy Kimani revealed that the retail giant suffered a ransomware attack that compromised some of its data.
Ms Kassait told the committee that her office has initiated a post-breach audit to fully understand the circumstances of the breach and the culpability of the supermarket chain.
