Pick n Pay breach puts South Africa’s retail cybersecurity under scrutiny

A massive cyberattack on South African retail giant Pick n Pay has left thousands of customers concerned about the security of their personal information. The breach, which involved customer data linked to the retailer's older on-demand delivery platform, has raised questions about how companies manage legacy systems long after they have been retired.

What Happened

The breach, confirmed by Pick n Pay, involves customer information from the retailer's former delivery app, originally launched as Bottles and later rebranded as Asap!. The compromised data includes sensitive customer information and payment card details. However, the retailer disputes claims that complete card information was exposed.

Inside the Story

The incident highlights a growing challenge facing companies undergoing digital transformation: retired systems can remain vulnerable long after they disappear from public view. Pick n Pay began notifying affected customers on May 30, warning that users who registered for the delivery service on or before 2022 may have been impacted.

• The affected data comes from an earlier version of the on-demand app, first known as Bottles and later as Pick n Pay Asap!
• The exposed information includes names, contact details, delivery addresses, and limited payment card information
• The company stressed that full payment card numbers and CVV security codes were not stored on the affected system

Why It Matters

The breach has renewed scrutiny of how organisations handle customer data once platforms are retired. Cybersecurity expert Dr. Nishal Khusial said the breach may have stemmed from weaknesses in the retailer's legacy infrastructure. "What has happened in this case is that there was an old system connected to an old app that did not necessarily have the current protection mechanisms to defend against modern-day penetration attacks," Khusial said.

• The incident points to a broader governance problem rather than a purely technical failure
• The platform was retired in 2022, but the customer records stayed reachable
• This is a governance failure, not a technology failure, says Samantha Hanreck, founder and director of IT solutions provider Data Sync Global

The Takeaway

The breach has left many customers uneasy about the exposure of their personal information, which could be exploited in phishing attacks and identity fraud schemes. As the South African retail sector continues to evolve, it's clear that companies must prioritize cybersecurity and data governance to protect their customers.