Pick n Pay executive data exposed in leak

Pick n Pay chief financial officer Lerena Olivier’s personal information was among the over 100,000 people whose details were exposed in a recent Claim Expert data leak.
Claim Expert is the company Pick n Pay used to offer its vehicle licence disc renewal service from January 2022 until mid-2023.
In addition to Olivier’s data, the leak contains the details of 50 Pick n Pay employees who used their work email addresses.
The data of 1,031 government employees was also exposed, including members of the South African Revenue Service, SA Police Service, National Prosecuting Authority, Department of Justice, and various other government departments.
Several Claim Expert employees’ data was also exposed, including that of general manager Leon de Jager.
In July 2024, Claim Expert notified customers that their information had potentially been exposed after discovering that a file containing user data had been uploaded to an unsecured public server.
It did not disclose what data had been exposed and assured customers it would monitor the open Internet and dark web for any exposed information.
Then, towards the end of last year, a hacking group called Bashe posted on its data leak site on the dark web that it planned to dump a database with 105,383 lines belonging to Pick n Pay.
Bashe gave Pick n Pay until the morning of 14 January 2025 to pay up.
When the clock ran out and Bashe released the data, it turned out that the database belonged to Claim Expert, not Pick n Pay.
It is unclear whether Bashe was the threat actor that originally discovered the exposed data, or if they found it elsewhere on the Internet and were trying their luck to extort Pick n Pay.
The dataset contained names, ID numbers, email addresses, cellphone numbers, hashed passwords, and IP addresses. It also included details about which channel customers used to register for the service.
An analysis of the data revealed that 56,770 individuals whose data was leaked registered through Pick n Pay’s white-labelled portal for licence disc renewals, shown in the screenshot below.

When we asked Pick n Pay and Claim Expert whether the latter had followed through on its promise to “provide updates as it learns more”, their responses were disappointing.
Claim Expert did not respond to our questions at all, while Pick n Pay provided the following statement denying any responsibility towards customers.
“There has not been a breach or leak of any Pick n Pay customer data. Claim Expert experienced a data leak in July 2024, and there has been no new data leak or release of new information since then,” said Pick n Pay.
While this statement is technically true, it also ignores the fact that Claim Expert previously told customers that their data had only potentially been leaked.
Bashe’s extortion attempt has confirmed that the data was indeed obtained by malicious actors.
One would have hoped that a company as large as Pick n Pay felt some kind of responsibility towards the customers who trusted its chosen supplier with their personal data.
“In July 2024, Claim Expert notified Pick n Pay that they had a data leak, and they confirmed that they had followed the correct regulatory procedures by notifying the Information Regulator and communicating with affected customers,” Pick n Pay said.
“Claim Expert managed this process entirely as it was their data that was leaked. Claim Expert is a former business partner of Pick n Pay and has not worked with Pick n Pay since March 2023,” the company continued.
“No Pick n Pay customer’s details were compromised, and no breach of our systems occurred at all.”
Asserting that none of the affected people were Pick n Pay customers is disingenuous at best.
When the company launched its vehicle licence disc renewal service, customers could register at Pick n Pay till points and through a Pick n Pay-branded online portal.
While it is accurate to say that these customers’ data was warehoused by Claim Expert, denying that the nearly 57,000 people who registered using Pick n Pay’s channels are its customers paints the company in a very bad light.
MyBroadband asked Pick n Pay whether Claim Expert had notified Olivier that the Bashe hacking group had posted her data on the dark web, but the company did not answer the question.