Recent times have been eventful for IS events on the African continent. In this overview, you will find details on data leak in South Africa and data protection lawsuits. A major data breach affected Pam Golding, a South African real estate developer. A third party got access to the company’s CRM. African Data Commissioners are tightening the data regulations. Major rulings were set in Nigeria and Kenya.

Pam Golding, South Africa's property giant, fell victim to a data breach. Officials stated that last week an unknown third party gained access to the company’s database. As a result, sensitive data hosted on the customer relationship management (CRM) system was stolen. Pam Golding notified affected clients and fulfilled the incident report to the Information Regulator.

Company officials stated that all required security measures to contain the breach were implemented. Affected user accounts were secured, active sessions were terminated, and passwords were reset system-wide. The company contacted independent cybersecurity specialists to facilitate the investigation and enhance security measures.

Pam Golding’s representatives stated that no banking details, financial information, or commercial documents were exposed. The full scope of the incident is unknown yet; the investigation is ongoing. However, the company's officials highlighted the following potential risks:

• Client information may have been accessed by third-parties
• Stolen credentials could be used for further criminal activities such as fraudulent emails or messages and impersonating trusted sources
• Exposed personal data could be used for identity theft.

Let’s continue with the news about data compliance. The Federal High Court of Nigeria found Domino's Pizza guilty of utilizing a customer’s data for marketing without consent. The court judge determined that the restaurant chain’s use of personal data was illegal and violated the Nigeria Data Protection Act. Dominos Pizza was fined for N3,000,000 (about $2,000), ordered to permanently delete the applicant’s personal data, and ordered to halt all unsolicited direct marketing communications.

According to the investigation, the applicant’s personal data was initially provided to Jumia Food, an e-commerce platform. Later it was shared with Domino's Pizza during the food order process. As a result, shared information was used for marketing purposes without the applicant’s consent. Consequently, the claimant sent a formal letter to Domino's Pizza requesting they stop sending promotional materials, delete personal data, and compensate for violation of his rights. The restaurant denied any wrongdoing, despite receiving an official complaint from the individual and a request from Jumia Food to delete shared data.

It’s the second legal victory in the past two years in the field of data protection in Nigeria. There are multiple lawsuits against healthcare institutions and government bodies that are being considered legally. This legal ruling is a sign of the ongoing effort to enforce data protection. The Nigeria Data Protection Act was enacted on the 12th of June, 2023.

The process of regulatory compliance is a reality in most countries around the world. Thus, the integration of Data-Centric Audit and Protection (DCAP) systems, like SearchInform’s FileAditor, is a necessity for businesses and governmental bodies. Such solutions are used for the automated audit of information storage, including the processes of data collection, data storage, and processing. DCAP systems classify sensitive data, manage access rights, archive critical documents, and monitor user actions, preventing accidental or intentional malicious actions.

Another legal ruling was set in Kenya. The Office of the Data Protection Commissioner found Fingrow Capital Ltd. guilty of disclosing confidential personal and financial data to third parties without consent. The company was fined 200,000 KES (around $1,500). According to the investigation, the complainant took a credit facility from the respondent. The respondent’s general manager had a phone call with the complainant on the credit repayment. Following the discussion, the manager gathered sensitive information and forwarded it via email to ABC Bank’s public customer service email address. Numerous bank employees who were not authorized to handle personal data had access to the mentioned email. As a result, the following sensitive information was exposed:

• Paychecks and 6-month account statements
• National Identity Card
• Letter of promotion
• Guarantors’ personal details (ID numbers, name, phone number, occupation, and gross pay).

This legal case is just an isolated example of many lawsuits over the protection of personal data in Kenya. The Data Commissioner continues the policy of enforcement of the Kenya Data Protection Act. Recently, Platinum Credit Ltd. was found guilty of unsolicited text messages and calls, promoting loan products, without obtaining consent. As a result, the company was fined 900,000 KES (around $7,000).

The majority of African countries took a proactive stance regarding the data protection. Long gone are the days of grace periods. Nowadays, compliance with regulations is a necessity for business companies and governmental bodies. A lot of entities are facing challenges regarding information security. Lack of trained specialists, vague legal wordings, and limited financial resources.

All of these factors hamper compliance with data protection regulations. However, there is a proper solution to these issues–Managed Security Service (MSS). The service addresses workforce shortages and provides companies with access to effective and reliable information security practices. Also, MSS ensures compliance with regulatory demands, assists with reporting, and provides holistic threat prevention. Test the capabilities of our security service during the 30-day free trial.