Pick n Pay breach puts South Africa’s retail cybersecurity under scrutiny

A cyberattack on South African retail giant Pick n Pay has exposed customer data linked to an older version of its on-demand delivery platform, raising fresh concerns about how companies manage legacy systems long after they have been retired.

The breach, which Pick n Pay has confirmed, involves customer information from the retailer’s former delivery app, originally launched as Bottles and later rebranded as Asap! The compromised data included sensitive customer information and payment card details.

While Pick n Pay acknowledged the breach, it disputed claims that complete card information was exposed. The incident highlights a growing challenge facing companies undergoing digital transformation: retired systems can remain vulnerable long after they disappear from public view.

Pick n Pay began notifying affected customers on May 30, warning that users who registered for the delivery service on or before 2022 may have been impacted.

“The affected data comes from an earlier version of our on-demand app, first known as Bottles and later as Pick n Pay Asap!, which has since been replaced,” the retailer said in a customer notification.