28 June 2024

NAMPAK TURNAROUND INITIATIVES GAIN MOMENTUM

Read more +
Article by Nampak 28 March 2024

NOTIFICATION OF CYBERSECURITY COMPROMISE

Notification of security compromise in terms of Section 22(1)(b) of the Protection of Personal Information Act, 2013

Nampak Limited (Nampak) wishes to inform its stakeholders and potentially affected data subjects of an information security compromise detected on 20 March 2024. This notice provides information relating to the incident, the measures Nampak has taken in order to mitigate any possible adverse effects, and recommendations on proactive steps which any potentially affected data subject may consider taking to secure their personal information.

Nampak is taking the necessary steps to contain, assess and remediate the security compromise and to restore the integrity of its information systems. This is essential to ensure that personal information is not exposed to further risk. Nampak has retained local and global cybersecurity and forensic experts to work with its capable in-house IT team to manage this process.

Overview of the incident

On 20 March 2024 Nampak detected unauthorised activity on its IT systems. An unauthorised external threat actor unlawfully gained access to these systems, notwithstanding Nampak’s robust and embedded security protocols. As a result, Nampak’s servers were accessed and data was encrypted. 

Due to the encryption of data, it is not possible at present to determine what personal information of data subjects may have been accessed or acquired by the unauthorised external threat actor. Nampak considers it prudent to assume that some personal information may have been accessed or acquired and is accordingly making this notification to allow potentially affected data subjects to take protective measures against the possible consequences of the compromise.

This security compromise has not affected the Company’s manufacturing facilities and operations which are functioning as normal, albeit with some manual operating systems where required.

What Nampak has done

Nampak takes the privacy and security of its stakeholders and their personal information in its care extremely seriously. Nampak has notified the Information Regulator (South Africa) and will cooperate with all relevant authorities as needed. 

Nampak’s primary concern is to take the necessary measures to determine the scope of the compromise, to restore the integrity of Nampak’s information systems and to ensure that it is not exposed to further risk. 

In line with Nampak’s business continuity plans, employees have switched over to backup manual compensating controls and Nampak continues to function using these processes. Nampak is working with its suppliers and customers to ensure that the impact of the incident is contained, and that Nampak is able to continue delivering products as required.

Nampak has implemented various measures to address the compromise.  These are designed to enhance the existing security of its IT systems and to ensure the protection of data and personal information. The protective measures Nampak has taken include isolating and taking the affected servers offline, heightened privileged access management and deploying enhanced threat detection tools.  Nampak is undertaking continuous monitoring for the publication of any data relating to Nampak, or personal information of data subjects in its care, and its related entities on the internet and the dark web.

Nampak will continue to evaluate additional measures to further strengthen its cybersecurity policies and procedures, and technological capabilities, to mitigate against the ever-evolving cyber risk landscape.

Possible consequences to data subjects

The full nature and extent to which personal information may have been compromised will be determined by the investigation currently underway. 

If personal information was contained in the data accessed by the unauthorised external threat actor, it may be used to attempt fraud or further security compromises such as social engineering, impersonation attempts, phishing attacks and/or email compromises. Nampak recommends that all data subjects remain vigilant on any suspicious activities or fraudulent communication they may receive, specifically in relation to requests for banking information and secondary extortion attempts.

Although there is currently no evidence of any misuse of personal information potentially accessed, Nampak encourages its stakeholders to safeguard their personal information by following these security measures, in accordance with best practice:

  • To mitigate any fraudulent consequences, you can place a fraud alert on your credit report at any of the major credit bureaus. 
  • You can register for a free Protective Registration listing with the Southern Africa Fraud Prevention Service (SAFPS) to help protect you against the risks of identity compromise (https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration). 
  • Do not disclose personal information such as passwords and PINs when asked to do so by anyone via email, phone, text messages or fax.
  • Verify all requests for personal information and only disclose it when there is a legitimate reason to do so.
  • Carefully consider emails which contain embedded hyperlinks or unexpected attachments. Avoid clicking on links or downloading attachments from suspicious emails.
  • Change your passwords regularly, using lengthy passwords with complexity, and never share these with anyone else.
  • Perform regular anti-virus and malware scans on computers and mobile devices, using software that is up to date.

 

For more information

If you have any questions, concerns or require further assistance, please contact us at privacy@nampak.com.

Nampak prioritises the trust and privacy of its stakeholders. Nampak takes this matter extremely seriously and has dedicated the necessary resources to mitigating the impact on data subjects and other stakeholders. 

Back to top ^