Nampak has become the latest victim of cybercrime, having detected unauthorised activity on its IT systems last week (20 March 2024). Manufacturing and operations are not affected.
The company has made a voluntary disclosure about the attack.
“An unknown third-party gained access to its IT systems, notwithstanding the company’s robust and embedded security protocols,” according to a SENS statement. “The company immediately took the necessary steps to contain, assess and remediate the incident.”
The statement adds that Nampak is taking the necessary measures to determine the scope of the compromise, to restore the integrity of its information systems and to ensure that it is not exposed to further risk.
It has retained local and global cybersecurity and forensic experts to work with its in-house IT team to manage this process.
In line with its business continuity plans, Nampak has switched over to its backup manual compensating controls and continues to function using these processes.
“This breach has not affected the manufacturing facilities and operations which are functioning as normal, albeit with some manual operating systems where required,” according to the statement. “The company will work with its suppliers and customers to ensure that the impact of the incident is contained, and it is able to continue delivering products as required.”
Nampak is complying with the Protection of Personal Information Act (PoPIA) and an initial notification has been made to the Information Regulator, and will be supplemented as the investigation progresses. It will also notify potentially affected data subjects.
“Nampak regularly reviews and strengthens its cybersecurity policies and procedures, and technological capabilities, to mitigate against the ever-evolving cyber risk landscape,” the statement concludes.