Cyber Incident Victim: Picard
Date:
Nov 2024
Location:
France
Summary
A frozen food retailer experienced unauthorized access to customer accounts within its loyalty program, impacting approximately 45,000 members out of 11 million total participants. Exposed data included names, birthdates, contact information, and loyalty card details, though financial data remained unaffected as it was not stored in customer profiles. The company confirmed no broader intrusion into its information systems occurred and reported the incident to the national data protection authority. Affected customers were notified and advised to change their account passwords, with additional recommendations to update credentials if reused across other platforms. This breach follows similar recent incidents involving other retail chains.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 0 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 12, 2024, Picard, a French frozen food retailer, publicly disclosed a data breach affecting its customer loyalty program members. The company detected unauthorized third-party access to certain customer accounts through its existing technical security measures. Approximately 45,000 customers from Picard's 11 million loyalty program members had their personal information compromised in the incident. The exposed data included full names, dates of birth, contact details, and loyalty card information. Picard explicitly confirmed that financial data remained unaffected because banking information was not stored within customer accounts. The breach notification did not specify the exact timeframe of unauthorized access or the methods used by attackers to compromise accounts.
Picard initiated response actions by notifying France's National Commission on Informatics and Liberty (CNIL) about the breach as required by data protection regulations. The company directly informed affected customers via email, advising them to change their Picard account passwords immediately. Picard further recommended password changes for any other online accounts where customers might have reused the same credentials. The retailer emphasized that its internal investigation found no evidence of broader system intrusions beyond the compromised customer accounts. This incident occurred amidst a series of similar retail sector breaches in France, including earlier September 2024 data leaks at Boulanger and Cultura that impacted over 1.5 million customers collectively.