22,000 data subjects affected in S&R cyber-attack — National Privacy Commission

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10

Metro Manila (CNN Philippines, November 24) — The recent cyber-attack against S&R Membership Shopping compromised select personal data of some 20,000 individuals, the National Privacy Commission said Wednesday.

“The company submitted a supplemental breach report today, Nov. 24, 2021, confirming that the subject of the ransomware attack was the S&R membership system affecting twenty-two thousand (22,000) data subjects,” said the Commission in a statement.

Citing the report, the NPC said the birthdate, contact number, and gender of the members were compromised in the attack.

The agency also noted that no credit cards and other financial information were put at risk, affirming the membership-only retail warehouse club’s prior assurance.

“They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” said the NPC, adding it has reiterated to the firm its obligation to fully disclose and notify those affected individually.

The NPC likewise ordered S&R to provide the incident’s technical report from their third-party cyber-security firm.

The NPC confirmed earlier this Wednesday it received S&R’s breach report on Nov. 15, a day after the membership-only retail warehouse club was hit by a cyber-attack.

S&R only made its public announcement on Wednesday morning, uploading an advisory dated Nov. 21.

The company also assured its team “acted immediately and decisively” to execute their cybsecurity protocols, allowing them to resume system operations.

“Although there have been numerous reports of cyber-attacks in the Philippines, we strongly condemn their criminal acts perpetrated against private companies and we are treating this matter very seriously,” said S&R.