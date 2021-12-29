Several Pick n Pay customers who used the company’s delivery service have had their data exposed online, a tip from a MyBroadband reader has revealed.

Customer delivery information for Pick n Pay’s online shopping service was available on a tracking website for courier Dawn Wing to anyone on the Internet who knew where to look.

The site exposed people’s names and addresses, and included photos of their orders taken by couriers to prove that they had delivered the items.

Order tracking pages also included photos of the driver and the driver’s vehicle, together with their licence plate number.

This data was exposed because Dawn Wing and Pick n Pay used sequential order numbers in the URL to allow customers to track their deliveries.

They then failed to require a login to access this data.

Anyone who knew the format of the tracking URL could add or subtract 1 from their order number to view the details of someone else’s order.

If you remove the tracking ID from the URL, the site directs you to a login form, but this authentication system did not protect the actual tracking data.

MyBroadband contacted Pick n Pay and Dawn Wing to notify the companies of the data leak and requested comment.

Neither had responded at the time of writing, but the issue appears to be resolved. Visiting an order tracking link now takes you to a blank page.

