Bad news for Pick n Pay clients

 ·20 Jan 2025

The personal information of Pick n Pay clients who used the retailer for licence disc renewals has been leaked on the dark web after one of its service providers suffered a data leak.

Claim Expert, the company Pick n Pay used to offer its licence disc renewal service in 2022 and 2023, was the victim of a cyber-attack.

The Claim Expert said the incident occurred on 18 July 2024, when a document containing personally identifiable information was mistakenly exposed online.

“Out of caution, we believe some of the data on the file may have been accessed,” the company said.

“We are notifying you now so you know about the actions that we are taking and can take proactive measures to protect your information.”

Claim Expert said it reported the incident to the Information Regulator and was cooperating with authorities.

“Our top priority is to determine the scope of the issue, secure our systems, and prevent future risks,” it said.

MyBroadband reported that the ransomware gang Bashe threatened Pick n Pay with releasing the data unless the company paid a ransom by 14 January 2025.

When the clock ran out, the ransomware group released the sensitive data from Claim Expert, containing Pick n Pay client information.

This data, containing the personal information of over 100,000 customers, was published on the dark web.

The leak contains names and surnames, ID numbers, cellphone numbers, and email addresses. Many of the affected people were Pick n Pick clients.

Scammers often use these types of leaks to target victims by using their sensitive personal information to launch phishing attacks.

Claim Expert advised impacted customers to place a fraud alert on their credit report with major credit bureaus like Experian, XDS, TransUnion, Vericred, and the Consumer Profile Bureau.

Customers could also get a Protective Registration from the Southern African Fraud Prevention Service.

“Be cautious of suspicious e-mails, calls, texts, or faxes asking for personal information. Verify any requests before responding,” Claim Expert said.

“Avoid clicking links or opening attachments in emails where you are not familiar with the person sending you the email.”

It also advised that customers use strong, unique passwords and that they change them regularly.

Pick n Pay told BusinessTech that it has in no way experienced any data breach or ransomware attack.

“Our platforms remain fully operational. We take data security very seriously,” the company said in response to questions.

“Our IT team reviewed these claims and found they relate to a former service provider’s data breach dating back to July 2024.”

“We stopped working with the third-party service provider more than a year before that – in March 2023 – for commercial reasons.”

Pick n Pay added that during its partnership, it did not share data with the former service provider, Claim Expert.

“Any customer using their service provided their own information directly to the service provider via their independent platform,” Pick n Pay said.

The retailer preferred not to answer when asked whether the data leak contained personal data from Pick n Pay clients.

The company also did not say when it became aware of the data leak or how many Pick n Pay clients’ data were exposed.

Pick n Pay would not comment on whether it alerted the affected clients or the Information Regulator about the leak.

Show comments
Subscribe to our daily newsletter