South African retail giant Pick n Pay has confirmed a cyberattack that exposed customer data linked to its retired on-demand delivery app, Bottles, later rebranded as Asap!. The breach, disclosed on May 30, affects users who registered before 2022, with compromised information including names, contact details, delivery addresses, and limited payment card data. While the retailer insists full card numbers and CVV codes were not stored, the incident has reignited concerns about how companies manage legacy systems long after they are retired.
Pick n Pay has begun notifying affected customers and assured them that the leaked data cannot be used for fraudulent card transactions. However, cybersecurity experts warn that personal information could still be exploited in phishing and identity fraud schemes. Dr Nishal Khusial noted that the breach likely stemmed from outdated infrastructure lacking modern protections, while IT governance specialist Samantha Hanreck argued the real failure was retaining customer records unnecessarily after the platform’s retirement.
The incident has drawn sharp criticism from customers, who see it as a serious invasion of privacy. “The biggest victims of poor cybersecurity are always ordinary working people,” said shopper Dzungi Mudzunga, reflecting widespread frustration. Consumer protection authorities have urged affected individuals to lodge complaints with the Information Regulator under South Africa’s Protection of Personal Information Act (POPIA). The regulator has confirmed readiness to assist and pressed Pick n Pay to formally report the breach.
Pick n Pay says it has already initiated the reporting process and is working with cybersecurity specialists to assess the full extent of the breach. Enrico Ferigolli, Executive Online at Pick n Pay, stressed that the company is undertaking a broader review of historical data management and retention practices. The episode underscores the growing risks posed by legacy systems in the digital era, highlighting the need for stronger governance and proactive data protection measures as companies modernize their platforms.