1 hour ago
1
ARTICLE AD BOX
A cyberattack on South African retail giant Pick n Pay has exposed customer data linked to an older version of its on-demand delivery platform, raising fresh concerns about how companies manage legacy systems long after they have been retired.
The breach, which Pick n Pay has confirmed, involves customer information from the retailer’s former delivery app, originally launched as Bottles and later rebranded as Asap! The compromised data included sensitive customer information and payment card details.
While Pick n Pay acknowledged the breach, it disputed claims that complete card information was exposed. The incident highlights a growing challenge facing companies undergoing digital transformation: retired systems can remain vulnerable long after they disappear from public view.
Pick n Pay began notifying affected customers on May 30, warning that users who registered for the delivery service on or before 2022 may have been impacted.
“The affected data comes from an earlier version of our on-demand app, first known as Bottles and later as Pick n Pay Asap!, which has since been replaced,” the retailer said in a customer notification.
According to the supermarket giant, the exposed information includes names, contact details, delivery addresses and limited payment card information. The company stressed that full payment card numbers and CVV security codes were not stored on the affected system.
“This means the leaked data cannot be used to make fraudulent transactions on customer cards,” the retailer said.
Despite those assurances, customers remain uneasy about the exposure of personal information that could be exploited in phishing attacks and identity fraud schemes.
“The biggest victims of poor cybersecurity are always ordinary working people,” said Pick n Pay shopper Dzungi Mudzunga. “Executives apologise in emails while citizens deal with fraud attempts for years.”
Cybersecurity expert Dr Nishal Khusial said the breach may have stemmed from weaknesses in the retailer’s legacy infrastructure.
“What has happened in this case is that there was an old system connected to an old app that did not necessarily have the current protection mechanisms to defend against modern-day penetration attacks,” Khusial told TechCabal.
The breach has also renewed scrutiny of how organisations handle customer data once platforms are retired. Samantha Hanreck, founder and director of IT solutions provider Data Sync Global, argued that the incident points to a broader governance problem rather than a purely technical failure.
“The Pick n Pay incident isn’t really a story about hackers,” she said. “It’s a story about data that didn’t need to exist anymore. The platform was retired in 2022, but the customer records stayed reachable. That’s a governance failure, not a technology failure.”
For some customers, the retailer’s response has not gone far enough.
“This is a serious invasion of privacy,” said Trevor Dube, a Johannesburg-based security company owner and frequent Pick n Pay shopper. “As customers, we expect these big companies to keep our private information safe. There should be serious consequences when they fail to protect us.”
Phetho Ntaba, spokesperson for South Africa’s National Consumer Commission, advised affected consumers to lodge complaints with the Information Regulator, the statutory body responsible for enforcing the Protection of Personal Information Act (POPIA). “That is the body empowered to deal with illegal access to people’s personal information,” she said.
Nomzamo Zondi, communications manager at the Information Regulator, said the regulator stands ready to assist affected consumers. “Should you feel that your personal information has been violated, please visit our online management services page or come to our offices to register your grievance,” she said.
Zondi also urged Pick n Pay to ensure the incident is formally reported to the regulator. The company said it has already initiated that process while working to determine the full extent of the breach.
“All appropriate processes were and are being followed, including notifying the Information Regulator,” said Enrico Ferigolli, Pick n Pay’s Executive Online. “We are working closely with cybersecurity specialists and undertaking a broader review of historical data management and retention practices as part of our ongoing investment in customer data security.”
English (US) ·