The embattled local supermarket chain, Naivas Limited is facing Sh5million fine for breaching the Data Protection laws and delayed reporting of client data theft.
The supermarket breached the law by failing to report theft of customer data within 72 hours as is required by law.
While appearing before the Senate ICT Committee yesterday, Data Commissioner Immaculate Kassait said the supermarket chain did not follow the law in reporting the ransomware attack that happened in April this year.
Kassait said the data breach resulted in the unauthorised transfer of 611 GB of personal data from customer loyalty programme information including names, phone numbers, email addresses, and loyalty points significantly exposed.
She said the breach was, however, not reported within the statutory 72-hour period, and Naivas was unable to definitively determine the unauthorised transfer of personal data.
This was in contravention of Section 43 of the Data Protection Act, 2019 and Regulation 38 (1) of the Data Protection (General) Regulations 2021 on report of data breaches.
Section 43 requires data controllers to give notice to the Office of the Data Protection Commissioner (ODPC) in the event of a data breach and to further give notice to the data subject if the data accessed is person-identifying.
“Moreover, the office notes that there were inadequate measures to safeguard data whilst in storage.” Kassait noted.
Kassait told the committee that her office has initiated a post-breach audit to fully understand the circumstances of the breach and the culpability of the supermarket chain.
In April this year, the local supermarket chain has suffered one of the largest theft of customer data after hackers breached their servers and financial systems exposing private information belonging to partners, invoices, agreements and customer data to possible manipulation by third party actors.
The attack led to mass siphoning of customers details including phone numbers, credit card particulars among others came after founders of the retail chain sold a stake to a consortium of international investors at a cost of Sh18.25 billion ($151.97 million) US Dollars.
Naivas management acknowledged the breach saying they are victims of a ransomware attack allegedly executed by an online criminal organisation identified as Threat Actor.
“This unlawful intrusion may have compromised some of our data. Naivas has contained this attack, and our systems are secure and our operations are normal.” A notice posted on Naivas official Twitter handle after the attack read in part.
However, it remains unclear whether the unauthorised external access was wholly perpetrated externally or if there was internal collusion.
The budding retail chain headed by Chief Commercial Officer Willy Kimani revealed the attack compromised some of their data.
“We are cooperating with the relevant law enforcement agencies, as they investigate this and the many current ransomware attacks in Kenya.” The quick dispatch to newsrooms read in part.
Naivas management claimed that Threat Actor intends to publish the stolen data but they have since informed the Office of the Data Protection Commissioner Kenya.
If the hackers make good their threat, the aggravated damage on the part of the customers would be dire including possible exposure of personal financial details that could be exploited by international cyber criminals in siphoning money from customers’ bank accounts.
Naivas management has disowned keeping credit card and debit cards details owned by shoppers.
“Naivas would like to confirm that we do not hold any credit card or debit card information on our systems, and that such payment information is handled securely and protected through Secure Sockets Layer (SSL) encryption. At this moment, we are not aware of any malicious use of stolen data. However, it is recommended in the face of this type of situation to pay particular attention to any phishing attempts (by phone, SMS or email) as well as to the sufficient security of passwords. We take the protection of personal information very seriously.” The statement says in part.
Heirs of the Mukuha empire, including Martha Waithera, Grace Muthoni, and David Kimani, hold their shares through the investment vehicle Gakiwawa Family whose stake in Naivas has now dropped to 60 per cent.
The IBL-led consortium on the other hand bought the 40 per cent stake in the business through an investment vehicle called Mambo Retail.
“On August 10, 2022, Mambo Retail acquired 40 per cent stake in Naivas International, representing all shares previously held by Amethis Retail Limited and … part of the shares held by Gakiwawa Family,” IBL said in a circular to its shareholders.
DEG, IFC, and the PE firms bought a 31.5 per cent interest in Naivas in 2020 through the investment vehicle Amethis Retail Limited for Sh6 billion, and the money was spent on fuelling the retailer’s growth across the country.
The deal saw Mukuha’s family’s ownership in Naivas reduced to 68.5 per cent.
