A major data breach at Pick n Pay, one of South Africa’s biggest supermarket chains, has put the spotlight firmly on how large retail companies protect their customers’ private information.
Hackers managed to steal customer details from an old, retired version of the supermarket’s grocery delivery app. The incident has raised serious questions about what companies do with old data long after it is no longer in use.
The breach involves historical customer records from 2022. The data came from an early version of Pick n Pay’s on-demand delivery app, which used to be called Bottles and was later rebranded as Pick n Pay asap!.
Pick n Pay discovered that a file containing this old customer information was being offered for sale by criminals on the dark web. The company immediately called in independent cybersecurity experts to launch a full investigation.
According to Pick n Pay, the stolen files contain a mix of personal and limited banking details:
• Personal Details: Names, phone numbers, email addresses, dates of birth, and home delivery addresses.
• Loyalty Details: Smart Shopper card numbers (if they were linked to the app).
• Card Details: The card type, expiry date, and only the last four digits of the credit card number.
The Good News: Full credit card numbers and CVV security codes (the three digits on the back of the card) were never stored on this old system. This means criminals cannot use the leaked data to make direct, fraudulent purchases using your bank card. South African ID numbers were also not part of the leak.
Even though hackers cannot swipe money directly from your card using this data, cybersecurity experts warn that the leak is still highly dangerous.
With access to your name, phone number, and exact home address, fraudsters can launch highly convincing phishing scams.
A criminal might call you pretending to be from Pick n Pay or your bank. Because they already know your address and the last four digits of your card, they will sound official and trustworthy. Their goal is to trick you into giving away secrets like your passwords, bank PINs, or One-Time PINs (OTPs).
Advice for Pick n Pay Customers
If you used the old Bottles or Pick n Pay asap! app in or before 2022, the company advises you to take the following protective steps immediately:
1. Change Your Passwords: If you used the same password for that old app on any other websites (like your email or banking app), change it right away.
2. Be Guarded Against Calls: Treat any unexpected phone calls, text messages, or emails with extreme caution especially if the person mentions your home address or card details.
3. Never Share OTPs: Remember that neither Pick n Pay nor your bank will ever ask you to read out a password, PIN, or OTP over the phone.
A Wake-Up Call for South African Retailers
This incident highlights a major corporate headache: legacy systems. When companies upgrade to shiny new apps, they often leave old databases sitting on forgotten servers.
Pick n Pay confirmed that its current, modern app is completely safe and runs on an entirely separate, highly secure system. However, this breach serves as a stark reminder to all South African retailers that old data must be permanently and securely destroyed so it doesn’t fall into the wrong hands.