Metro Pakistan, a major wholesale retail chain operating in multiple cities across the country, has reportedly suffered an unauthorized access incident involving its internal systems. According to claims circulating on a well known cybercrime forum, more than one million records associated with the company have been put up for sale. The alleged breach has been linked to a threat actor identified as xklahadore, raising concerns about the safety of customer and operational data belonging to one of the country’s prominent retail networks.
The data set reportedly includes a combination of user and transaction information. Around 425,000 individual records are said to contain personally identifiable information such as names, email addresses, and phone numbers. In addition, more than 611,000 transaction or order related entries have allegedly been exposed. Samples shared on the forum appear to include both regular user data and sensitive administrative level information, including details associated with Super Admin accounts. This suggests that the breach, if confirmed, may extend beyond basic customer data and into deeper system level access.
The exposed fields within the leaked data reportedly cover a wide range of personal and account related attributes. These include identification numbers, full names, contact details, gender, and complete residential addresses, with some entries listing detailed street level information. Additional fields such as date of birth, account type, and location markers including city and state are also part of the dataset. Financial and system related details, such as wallet balances, store identifiers, active status flags, and voucher related indicators tied to signup or birthdays, have also been mentioned. Records further include compliance related markers like privacy policy agreement status, along with employee numbers, login IDs, and account creation timestamps.
The presence of detailed geographic data is particularly notable, as records reportedly include specific area level information from cities such as Karachi, Faisalabad, Lahore, Islamabad, and Multan. This level of granularity could increase the potential risk for affected individuals if the data is misused. The inclusion of administrative account information in the sample data also raises concerns about possible system level vulnerabilities or insufficient access controls that may have been exploited during the incident.
At this stage, the claims remain based on information shared within cybercrime channels, and there has been no formal public confirmation detailing the full scope or authenticity of the breach. However, the scale and sensitivity of the alleged data exposure highlight ongoing challenges in securing large retail databases that handle both customer and operational information. Incidents of this nature continue to emphasize the importance of robust cybersecurity practices, particularly for organizations managing extensive digital records across multiple regions.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
