Pick n Pay clients’ data leaked on the dark web

Pick n Pay clients’ personal data has been exposed on the dark web after one of its service providers suffered a data leak.

The data leak came from Claim Expert – the company Pick n Pay used to offer its licence disc renewal service in 2022 and 2023.

On 26 July 2024, Claim Expert alerted users about a potential information security incident they had identified on 18 July 2024.

“A file containing personally identifiable information was mistakenly exposed online. Out of caution, we believe some of the data on the file may have been accessed,” it said.

“We are notifying you now so you know about the actions that we are taking and can take proactive measures to protect your information.”

Claim Expert reported the incident to the Information Regulator of South Africa and cooperated with authorities.

“Our top priority is to determine the scope of the issue, secure our systems, and prevent future risks,” the company said at the time.

“The full impact of the incident is still under investigation. However, if your information was accessed, it could be misused for fraud or identity theft.”

Most of the Claim Expert data leaked online came from Pick n Pay clients who used the company’s service to renew their licence disks.

An analysis from MyBroadband revealed that 56,770 of the 105,383 records leaked online came from Pick n Pay clients.

The company which leaked the data online, the ransomware gang Bashe, reportedly warned Pick n Pay that it would leak the data unless it paid a ransom.

When Pick n Pay did not pay the ransom by the deadline, Bashe published the sensitive information on the dark web on 14 January 2025.

The data leak contains names and surnames, ID numbers, cellphone numbers, and email addresses.

The leaked records include many from Pick n Pay employees and executives, and people associated with the company.

Claim Expert advised impacted customers to place a fraud alert on their credit report with major credit bureaus like Experian, XDS, TransUnion, Vericred, and the Consumer Profile Bureau.

Customers could also get a Protective Registration from the Southern African Fraud Prevention Service.

“Be cautious of suspicious e-mails, calls, texts, or faxes asking for personal information. Verify any requests before responding,” Claim Expert said.

“Avoid clicking links or opening attachments in emails where you are not familiar with the person sending you the email.”

It also advised that customers use strong, unique passwords and that they change them regularly.

Pick n Pay told Daily Investor that it has in no way experienced any data breach or ransomware attack.

“Our platforms remain fully operational. We take data security very seriously,” the company said in response to questions.

“Our IT team reviewed these claims and found they relate to a former service provider’s data breach dating back to July 2024.”

“We stopped working with the third-party service provider more than a year before that – in March 2023 – for commercial reasons.”

Pick n Pay added that it did not share data with the former service provider, Claim Expert, during its partnership.

“Any customer using their service provided their own information directly to the service provider via their independent platform,” Pick n Pay said.

The retailer preferred not to answer when asked whether the data leak contained personal data from Pick n Pay clients.

The company also did not say when it became aware of the data leak or how many Pick n Pay clients’ data were exposed.

Pick n Pay preferred not to say whether it alerted the affected clients or the Information Regulator about the leak.