MANILA, Philippines – The National Privacy Commission (NPC) reported that some 22,000 data subjects were affected in the ransomware attack on S&R Membership Shopping.
In a statement, the NPC said it has received an initial breach notification report on November 15, 2021, 4:47 PM, from S&R Membership Shopping in relation to a cyber-attack that may have compromised its members’ contact information.
The NPC said the firm discovered the cyberattack incident on November 14, 2021.
“The company has then submitted an supplemental breach report today, November 24, 2021, confirming that the subject of the ransomware attack was the S&R membership system affecting twenty-two thousand (22,000) data subjects,” the commission said.
Citing the company’s report, the NPC said the attack compromised S&R’s personal data such as date of birth, contact number, and gender.
“Based on the S&R’s disclosure and confirmation from their data protection officer (DPO), credit cards and other financial information were not among the compromised personal data,” the agency said.
“They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” it added.
The company earlier said that its team has implemented cybersecurity protocols that enabled them to resume system operations. It also assured that the data affected in the attack were only confined to contact information and its members’ financial data are safe as these are protected by encryption measures as required by regulation.
The NPC reminded the S&R of its obligation to fully disclose and individually notify the affected data subject.
The commission likewise directed them to provide the technical report of the incident from the third-party cyber security firm.