Pick N Pay Data Breach Exposes Legacy Delivery App Data

In Short

• Pick n Pay confirmed a data breach tied to an older version of its on-demand delivery app.
• Affected records relate to users who registered on or before 2022.
• The retailer says full card numbers and CVV codes were not stored on the impacted system.

What Happened

Pick n Pay has confirmed a cyberattack that exposed customer data from a previous version of its on-demand delivery platform. Pick n Pay began notifying affected customers on May 30, saying people who registered for the delivery service on or before 2022 may be impacted.

The retailer said the exposed information includes names, contact details, and delivery addresses. It also said “limited payment card information” was part of the compromised dataset.

Pick n Pay disputed claims that complete card information was exposed. The company said the affected system did not store full card numbers or CVV security codes, which are the three digits used to verify a card during online payments.

The incident is linked to an older app that launched as Bottles and was later rebranded as Pick n Pay Asap!, before being replaced. This is a common risk area in cybersecurity because legacy systems, meaning older software that is no longer actively used, can still remain connected, hosted, or backed up in ways attackers can reach.

Why It Matters

Retailers hold large volumes of personal and payment-related data, especially when they run e-commerce and delivery operations. Even if full card details are not exposed, leaked personal data can still fuel phishing, which is a scam where attackers pretend to be a trusted brand to trick customers into sharing passwords, one-time pins, or card details.

For South Africa’s retail sector, the breach adds pressure to prove that “retired” digital products are actually decommissioned, meaning shut down, deleted, and access locked. It also puts focus on data retention policies, vendor access controls, and how quickly companies can detect and respond to intrusions.

Customers who used Pick n Pay’s delivery service around 2022 will likely watch closely for follow-up updates, including whether any fraud attempts emerge from the leaked personal information.