Nampak hit by cyber attack

Nampak detected unauthorised activity on its IT systems last week and has made an initial notification to the Information Regulator.

Nampak informed shareholders today that, on 20 March 2024, it detected unauthorised activity on its IT systems. 

According to the company, an unknown third party gained access to its IT systems, notwithstanding its “robust and embedded security protocols”. 

Nampak said it immediately took the necessary steps to contain, assess and remediate the incident. 

“Nampak is taking the necessary measures to determine the scope of the compromise, to restore the integrity of its information systems and to ensure that it is not exposed to further risk,” the company said. 

“The company has retained local and global cybersecurity and forensic experts to work with its capable in-house IT team to manage this process.”

Nampak has since switched over to its backup manual compensating controls and continues to function using these processes. 

“This breach has not affected the manufacturing facilities and operations which are functioning as normal, albeit with some manual operating systems where required,” the company said.

“The company will work with its suppliers and customers to ensure that the impact of the incident is contained and it is able to continue delivering products as required.”

Nampak said it is aware of its obligations under the Protection of Personal Information Act (POPIA), and it has already made an initial notification to the Information Regulator. 

This notification will be supplemented as the investigation progresses, and a notification to potentially affected data subjects will be made as soon as possible in accordance with POPIA requirements. 

“The company will cooperate with the authorities as and when required,” it said.

“Nampak regularly reviews and strengthens its cybersecurity policies and procedures, and technological capabilities, to mitigate against the ever-evolving cyber risk landscape.”