Pick n Pay Confirms Data Breach Affecting Former *asap!* App Users
South African retail giant Pick n Pay has acknowledged a data breach exposing personal information of users from its former on-demand app, Pick n Pay asap! (previously known as Bottles). The incident, disclosed in an email to customers on Thursday, involves records dating back to 2022, which were recently discovered online.
Compromised Data
The leaked dataset includes:
- Names, contact details, and dates of birth
- Delivery addresses linked to the service
- Partial payment card details (cardholder names, card types, last four digits, and expiry dates)
- Encrypted passwords
- Smart Shopper numbers (where linked)
Notably, full card numbers and CVV codes were not stored and remain unexposed, preventing direct fraudulent transactions. However, Pick n Pay warns that the combination of leaked details could enable phishing or social engineering attacks, with criminals potentially impersonating banks or the retailer to extract sensitive information.
Impact and Response
The breach affects users registered on the app before 2022. The current Pick n Pay asap! and Smart Shopper platforms operate on separate systems and are unaffected.
Pick n Pay has launched a forensic investigation with an independent cybersecurity firm, engaged the Information Regulator and law enforcement, and is reviewing data retention practices. A dedicated support channel has been established for affected customers, including a helpline (086 099 6727) and email ([email protected]).
The retailer has apologized for the incident and pledged to strengthen security protocols. Customers are advised to monitor communications for suspicious activity and avoid sharing sensitive details like PINs or one-time passwords. The Information Regulator can also be contacted directly for further assistance.
Source: https://www.ecr.co.za/shows/stacey-jsbu/pick-n-pay-data-breach-what-customers-need-to-know/
Pick n Pay cybersecurity rating report: https://www.rankiteo.com/company/pick-'n-pay
"id": "PIC1780050597",
"linkid": "pick-'n-pay",
"type": "Breach",
"date": "1/2022",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users registered on the *asap!* '
'app before 2022',
'industry': 'Retail',
'location': 'South Africa',
'name': 'Pick n Pay',
'type': 'Retailer'}],
'customer_advisories': 'Monitor for phishing/social engineering attempts, '
'avoid sharing sensitive details',
'data_breach': {'data_encryption': 'Yes (passwords encrypted)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information, partial payment details)',
'type_of_data_compromised': ['Names',
'Contact details',
'Dates of birth',
'Delivery addresses',
'Partial payment card details',
'Encrypted passwords',
'Smart Shopper numbers']},
'description': 'South African retail giant Pick n Pay has acknowledged a data '
'breach exposing personal information of users from its former '
'on-demand app, *Pick n Pay asap!* (previously known as '
'*Bottles*). The incident involves records dating back to '
'2022, which were recently discovered online.',
'impact': {'brand_reputation_impact': 'Potential impact due to '
'phishing/social engineering risks',
'data_compromised': 'Personal information, partial payment card '
'details, encrypted passwords, Smart Shopper '
'numbers',
'identity_theft_risk': 'High (due to exposed personal details)',
'payment_information_risk': 'Moderate (partial card details '
'exposed)',
'systems_affected': 'Former *Pick n Pay asap!* (Bottles) app'},
'investigation_status': 'Ongoing (forensic investigation)',
'post_incident_analysis': {'corrective_actions': 'Strengthening security '
'protocols, reviewing data '
'retention practices'},
'recommendations': 'Monitor communications for suspicious activity, avoid '
'sharing sensitive details like PINs or one-time passwords',
'references': [{'source': 'Pick n Pay customer email'}],
'regulatory_compliance': {'regulatory_notifications': 'Information Regulator '
'engaged'},
'response': {'communication_strategy': 'Email notification to customers, '
'dedicated helpline and email support',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'remediation_measures': 'Reviewing data retention practices, '
'strengthening security protocols',
'third_party_assistance': 'Independent cybersecurity firm'},
'stakeholder_advisories': 'Information Regulator and law enforcement engaged',
'title': 'Pick n Pay Confirms Data Breach Affecting Former *asap!* App Users',
'type': 'Data Breach'}