Two people get the same Capitec notification. "Your card may be at risk. Replace it now."
Person one taps through, pays the R70, and gets on with their day.
Person two stops and asks why they're paying for a mistake they didn't make.
The breach wasn't Capitec's fault. It happened on Pick n Pay's side, an old delivery app called Bottles, decommissioned in 2025, still sitting on 2022 customer data nobody bothered to wipe. Names, addresses, partial card details, exposed for anyone to find.
Here's what person two knows.
Under POPIA, Section 99 lets you claim damages from whoever caused the breach,
and you don't need to prove they were negligent. The law calls it strict liability. If it happened and it cost you money, that's grounds enough.
Two free moves from here. Ask the Information Regulator to institute the claim for you. Or take it to Small Claims Court, no lawyer needed, for anything under R20,000.
On Capitec's side, ask them to waive the R70 since none of this was your doing. Refuse? The National Financial Ombud Scheme hears that complaint for free too.
R70 times 25 million active clients. Do the math yourself.
Same notification. Same fee.
Only one of them knew it was negotiable.
I really dislike the concept of “we experience people differently” because what have I done for you to be horrible to me but kind to the next person?? 😭