Back

Pick n Pay Faces Data Breach from Old Delivery Platform

Severity: Medium (Score: 51.9)

Sources: Citizen.Co.Za, Novanews.Co.Za

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: customers, pick, breach, data, information, compromised, linked

Severity indicators: breach, data breach

Summary

Pick n Pay has reported a data breach involving personal information from its former delivery platform, Bottles, and its later version, Pick n Pay asap!. The breach, affecting records dating back to 2022, was only recently discovered online. Customers who registered on the older app may be impacted, with compromised data potentially including names, email addresses, mobile numbers, and encrypted passwords. However, the retailer confirmed that full credit card numbers and CVV codes were not stored and thus cannot be used for fraudulent transactions. Pick n Pay has initiated a forensic investigation and is contacting all affected customers. The company is also enhancing its data management practices and security protocols. Customers are advised to remain vigilant against phishing attempts using their personal information. Key Points: • Data breach linked to Pick n Pay's old delivery platform, Bottles. • Compromised data includes names, emails, and encrypted passwords, but no full card details. • Pick n Pay is conducting a forensic investigation and has notified potentially affected customers.

Detailed Analysis

**Impact** Customers who registered on the Bottles/Pick n Pay asap! platform in or before 2022 are affected, though the exact number is unknown. Personal data exposed includes names, usernames, email addresses, mobile numbers, dates of birth, delivery addresses, linked Smart Shopper numbers, encrypted passwords, and partial payment card details (card type, last four digits, expiry date). Full credit card numbers, CVVs, and South African ID numbers were not compromised. The breach impacts South African retail customers and may facilitate phishing or social engineering attacks but does not allow direct fraudulent card transactions. **Technical Details** The breach involves unauthorized access to an old, decommissioned delivery platform (Bottles), with data dating back to 2022. The exact attack vector, TTPs, malware, or exploited vulnerabilities are not disclosed. The compromised data was discovered being sold on the dark web. No evidence currently indicates ongoing unauthorized access to the decommissioned system. A forensic investigation by an independent cybersecurity firm is ongoing. **Recommended Response** Defenders should monitor for phishing and social engineering attempts leveraging exposed personal information. Customers must be advised to remain vigilant against unsolicited communications and to change passwords on any reused credentials. Organizations should review and strengthen data retention policies and security controls for legacy systems. Continued forensic analysis and engagement with regulatory and law enforcement bodies are recommended; no specific patches or IOCs are provided.

Source articles (2)

  • 'We are truly sorry' - Pick n Pay on customers' information breach — Citizen.Co.Za · 2026-05-29
    Retail giant Pick n Pay says it is “truly sorry” for the personal information that was compromised in the data breach of its old delivery platform, Bottles, but assured customers that the compromised…
  • Pick n Pay warns customers of data breach linked to old asap! app — Novanews.Co.Za · 2026-05-29
    Retail giant Pick n Pay has warned customers that personal information linked to an on-demand grocery app may have been compromised in a recently identified data breach, and customers can rest assured…

Timeline

  • 2022-12-31 — Bottles platform data stored: Customer data from the Bottles platform was retained until the end of 2022, when it was decommissioned.
  • 2026-05-28 — Breach discovered: Pick n Pay identified that personal information from the old app was being sold online.
  • 2026-05-29 — Public announcement made: Pick n Pay publicly apologized and confirmed the breach while assuring customers of their data's safety.

Related entities

  • Data Breach (Attack Type)
  • Pick N Pay (Company)
  • CWE-200 - Exposure of Sensitive Information (Cwe)
  • Retail (Industry)
  • T1566 - Phishing (Mitre Attack)
  • T1567 - Exfiltration Over Web Service (Mitre Attack)
  • Bottles (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed