Supermarket giant recently confirmed data from a retired delivery app had been compromised…

A cyberattack involving South African retailer Pick n Pay has brought renewed attention to the risks associated with legacy digital systems, after customer data linked to an older version of its on-demand delivery service was found to have been compromised.

The incident relates to the retailer’s previously used delivery platform, originally launched under the Bottles brand and later rebranded as Asap!, which has since been replaced. According to the company, data exposed in the breach includes customer information and payment card details stored on the former system.

Pick n Pay emphasised that full card numbers and CVV security codes were not held on the affected platform. “Without these full details, the credit card cannot be used to directly process fraudulent card transactions. South African ID numbers were also not stored on the Bottles platform,” said Enrico Ferigolli, Executive Online at Pick n Pay.

The retailer began notifying impacted customers on 30th May, stating that individuals who registered for the service on or before 2022 may have been affected.

The breach highlights a broader issue for retailers undergoing rapid digital transformation, where decommissioned platforms can continue to present exposure long after they have been taken out of active use.

Security professionals note that legacy environments often retain residual data or weak access controls, making them attractive targets even after operational retirement.

The incident also underlines the wider challenges retailers face around cyber resilience and fraud prevention in the age of AI – key themes we continue to explore at our Retail Risk conferences globally.

Read the full Pick n Pay statement here.