Article by Nampak 4 April 2024
UPDATE: NOTIFICATION OF CYBERSECURITY COMPROMISE
UPDATED – 04 APRIL 2024
Notification of security compromise in terms of Section 22(1)(b) of the Protection of Personal Information Act, 2013
On 28 March 2024, Nampak Limited (Nampak) issued a precautionary website notification informing its stakeholders and potentially affected data subjects of an information security compromise detected on 20 March 2024.
Since then, further information has emerged regarding the possible unlawful disclosure of files accessed or obtained illegally from Nampak by the unauthorised external threat actor.
While our assessment is ongoing, the potentially impacted data may relate to Nampak’s Legal, Finance and Human Capital functions and include personal information relating to natural and juristic persons.
This updated notice therefore provides information relating to the incident, the measures Nampak has taken in order to mitigate further possible adverse effects, and recommendations on proactive steps which any potentially affected data subject may consider taking to secure their personal information.
Nampak is taking the necessary steps to contain, assess and remediate the security compromise and to restore the integrity of its information systems. Nampak has retained local and global cybersecurity and forensic experts to work with its capable in-house IT team to manage this process.
Updated overview of the incident
On 20 March 2024 Nampak detected unauthorised activity on its IT systems. An unauthorised external threat actor unlawfully gained access to these systems, notwithstanding Nampak’s robust and embedded security protocols. As a result, Nampak’s servers were accessed and data was encrypted.
Due to the encryption of data, it is not possible at present to determine what personal information of data subjects may have been accessed or acquired by the unauthorised external threat actor. Nampak considers it prudent to provide this updated notification to allow potentially affected data subjects to take protective measures against the possible consequences of the compromise.
This security compromise has not affected the Nampak manufacturing facilities and operations which are functioning as normal, albeit with some manual operating systems where required.
On 3 April 2024, Nampak identified that the external threat actor published a dark web post revealing Nampak as a victim on a page associated with the LockBit 3.0 ransomware group. The post includes a countdown timer related to Nampak suggesting that these files may be made available on 4 April 2024.
Although Nampak’s assessment of the potentially affected data is ongoing, it has identified that the impacted data may include files related to Nampak’s Legal, Finance and Human Capital functions. Such files may include certain personal information relating to natural and juristic persons.
Nampak will make a further assessment of the affected data, and related personal information, if files related to it are made available by the external threat actor. Nampak will continue to keep potentially affected data subjects and the Information Regulator (South Africa) informed as its investigation progresses.
What Nampak has done
Nampak takes the privacy and security of its stakeholders and their personal information in its care extremely seriously. Nampak has notified the Information Regulator (South Africa) and will cooperate with all relevant authorities as needed.
Nampak’s primary concern is to take the necessary measures to determine the scope of the compromise, to restore the integrity of Nampak’s information systems and to ensure that it is not exposed to further risk.
In line with Nampak’s business continuity plans, employees have switched over to backup manual compensating controls and Nampak continues to function using these processes. Nampak is working with its suppliers and customers to ensure that the impact of the incident is contained, and that Nampak is able to continue delivering products as required.
Nampak has implemented various measures to address the compromise. These are designed to enhance the existing security of its IT systems and to ensure the protection of data and personal information. The protective measures Nampak has taken include isolating and taking the affected servers offline, heightened privileged access management and deploying enhanced threat detection tools. Nampak continues to proactively monitor for the publication of any data relating to Nampak, or personal information of data subjects in its care on the internet and the dark web.
Nampak will continue to evaluate additional measures to further strengthen its cybersecurity policies and procedures, and technological capabilities, to mitigate against the ever-evolving cyber risk landscape.
Possible consequences to data subjects and steps to safeguard personal information
The full nature and extent to which personal information may have been compromised will be determined by the investigation currently underway.
If personal information was contained in the data accessed by the unauthorised external threat actor, it may be used to attempt fraud or further security compromises such as social engineering, impersonation attempts, phishing attacks and/or email compromises. Nampak recommends that all data subjects remain vigilant about any suspicious activities or fraudulent communication they may receive, specifically in relation to requests for banking information and secondary extortion attempts.
Nampak encourages its stakeholders to safeguard their personal information by following these security measures, in accordance with best practice:
- To mitigate any fraudulent consequences, you can place a fraud alert on your credit report at any of the major credit bureaus.
- You can register for a free Protective Registration listing with the Southern Africa Fraud Prevention Service (SAFPS) to help protect you against the risks of identity compromise (https://www.safps.org.za/Home/OurServices_ApplyProtectiveRegistration).
- Do not disclose personal information such as passwords and PINs when asked to do so by anyone via email, phone, text messages or fax.
- Verify all requests for personal information and only disclose it when there is a legitimate reason to do so.
- Carefully consider emails which contain embedded hyperlinks or unexpected attachments. Avoid clicking on links or downloading attachments from suspicious emails.
- Change your passwords regularly, using lengthy passwords with complexity, and never share these with anyone else.
- Perform regular anti-virus and malware scans on computers and mobile devices, using software that is up to date.
For more information
If you have any questions, concerns or require further assistance, please contact us at privacy@nampak.com.
Nampak prioritises the trust and privacy of its stakeholders. Nampak takes this matter extremely seriously and has dedicated the necessary resources to mitigate the impact on data subjects and other stakeholders.
Back to top ^