Pick n Pay Data Breach Exposes Cybersecurity Vulnerabilities

A recent cyberattack on South African retail giant Pick n Pay has compromised customer data from its former delivery app, raising concerns about how companies manage retired systems. The breach involved sensitive information including names, contact details, and limited payment card data from users who registered for the service before 2022.

Pick n Pay began notifying affected customers on May 30th, explaining that the compromised data originated from an earlier version of its delivery app initially known as Bottles and later rebranded as Pick n Pay Asap!. While the retailer maintains that full payment card numbers and CVV codes were not exposed, experts note this type of incident is becoming increasingly common.

The Legacy System Challenge

Cybersecurity specialist Dr. Nishal Khusial explained that the breach likely stemmed from weaknesses in Pick n Pay’s older infrastructure: “What has happened here is that there was an old system connected to an app that didn’t necessarily have modern security protections.”

This highlights a growing challenge for companies undergoing digital transformation - retired systems can remain vulnerable long after they are taken offline. As data governance expert Samantha Hanreck pointed out, the incident represents “a failure of data management rather than just a technical issue.” She noted that customer records remained accessible even though the platform was retired in 2022.

Customer Concerns and Regulatory Response

The breach has prompted mixed reactions from customers. While Pick n Pay assures users that full card details were not compromised, many remain concerned about potential identity theft and phishing attacks.

“The biggest victims of poor cybersecurity are always ordinary people,” said one affected shopper. “We expect these big companies to keep our information safe.”

The South African National Consumer Commission advises affected consumers to file complaints with the Information Regulator, which is responsible for enforcing data protection laws. The regulator stands ready to assist those who believe their privacy has been violated.

Pick n Pay says it has initiated an investigation and is working with cybersecurity specialists to review its data management practices.