Pepkor Lifestyle has confirmed that customer phone numbers were compromised in a data security incident that occurred at its third-party SMS marketing provider, Mobiz. The data breach affects customers of Pepkor Lifestyle’s retail brands, which include Incredible, HiFi Corp, Russels, Bradlows, Rochester, and Sleepmasters.
Read: Valve unveils Steam Frame, a wireless standalone VR headset
Pepkor issued a notice stating the breach occurred at Mobiz, a vendor used for marketing and statement communications.
- Discovery Date: Mobiz discovered the incident on October 13, 2025.
- Action: An unauthorized party gained access to one of Mobiz’s storage systems, where they viewed and deleted data related to marketing and statement campaigns.
- Compromised Data: The investigation confirmed the exposed information included customer cellphone numbers and the content of the campaign messages they received via the Mobiz service.
- Limited Scope: Pepkor emphasized that the incident was limited to this specific campaign data and did not involve broader customer databases, financial information, or other sensitive personal details.
In line with the Protection of Personal Information Act (POPIA), Pepkor has notified the Information Regulator and is working directly with Mobiz to oversee their forensic investigation and the implementation of enhanced security measures.
While financial information was not exposed, Pepkor warns that the compromised phone numbers increase the risk of customers being targeted by scams:
- Phishing/Smishing Risk: Customers may receive unsolicited messages (smishing via SMS or phishing via email) that appear to be from Pepkor or other trusted companies, asking them to click a link or provide sensitive personal information.
- Vigilance is Key: Pepkor advises customers to be vigilant, never share personal information in response to unsolicited messages, and verify communications directly with the companies involved.
For an added layer of defence against potential identity theft, Pepkor recommends customers place a free protective registration on their name with the South African Fraud Prevention Service (SAFPS).
This registration alerts credit providers and banks that the customer’s identity has been compromised, making it significantly harder for fraudsters to open new accounts in their name. Registration can be completed on the SAFPS website.
The Pepkor/Mobiz incident occurs amid a sharp rise in reported security compromises in South Africa.
See also
The South African Information Regulator recently disclosed the following concerning statistics:
- 2024/25 Financial Year: 2,374 data breaches were reported, averaging 198 notifications per month.
- April 2025 to Date: 1,947 security compromise incidents were reported.
- Increase: This represents an average of 284 notifications per month, demonstrating a 40% increase in reported security compromises compared to the previous period.
Information Regulator chairperson Pansy Tlakula expressed deep concern about the rising number of incidents, calling on both public and private sectors to invest heavily in their information security capabilities and maintain appropriate technical and organizational measures to secure personal information.
Though many security incidents in South Africa do not become publicly known, current regulations require companies to notify both the Information Regulator and the affected data subjects when a compromise occurs.
