Leak at Picard
On 12 November 2024, French frozen-food retailer Picard disclosed a credential-stuffing attack that compromised the loyalty accounts of around 45,000 customers, exposing personal and loyalty-programme data; no banking data was affected and the company notified the CNIL.
- Victim
- Picard
- records
- 45.0K
On 12 November 2024, Picard β the French frozen-food retailer β emailed roughly 45,000 members of its loyalty programme to warn them that their accounts had been accessed without authorisation. The company attributed the incident to a credential-stuffing attack: rather than breaching Picard's own databases, attackers reused usernames and passwords stolen in unrelated breaches to log into customer loyalty accounts where people had recycled the same credentials.
Picard said it found no intrusion into its central systems, indicating the compromise was limited to individual customer accounts rather than a backend database breach. Banking and payment data were not affected. The data exposed in the accessed accounts included:
- Last name, first name and date of birth
- Email address, postal address and phone number
- Loyalty card number, loyalty points, discount vouchers
- Order history, receipts, shopping lists and purchase preferences
The company reported the incident to France's data protection authority, the CNIL, reinforced its security systems and stepped up monitoring of suspicious login attempts on customer accounts. It advised affected customers to change their passwords immediately β especially anywhere they had reused them β and to be wary of phishing or other suspicious communications. The breach was one of a wave of attacks on French consumer brands in late 2024, following similar incidents at SFR and Free.
Sources
- clubic.comhttps://www.clubic.com/actualite-543425-cet-e-mail-des-surgeles-picard-risque-de-glacer-le-sang-de-ses-45-000-clients.html
- usine-digitale.frhttps://www.usine-digitale.fr/article/picard-victime-d-une-fuite-de-donnees-plusieurs-milliers-de-clients-concernes.N2222253
- linformaticien.comhttps://www.linformaticien.com/magazine/cybersecurite/62687-des-clients-de-picard-victimes-d-une-fuite-de-donnees.html
- economiematin.frhttps://www.economiematin.fr/alerte-fuite-donnees-clients-picard-piratage