Personal data of some 22,000 customers of S&R Membership Shopping may have been compromised following a cyber-attack on the company’s security system.
The National Privacy Commission (NPC) said S&R submitted a supplemental breach report Wednesday, Nov. 24, 2021, confirming its initial breach notification filed on Nov. 15, 2021 after discovering the security incident the day before.
NPC said that S&R confirmed that the subject of the ransomware attack was the S&R membership system affecting twenty-two thousand (22,000) data subjects.
According to the said report, the following personal data were compromised: date of birth, contact number and gender.
NPC also said that based on the S&R’s disclosure and confirmation from their data protection officer (DPO), credit cards and other financial information were not among the compromised personal data.
They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks.
The NPC reiterated to S&R their obligation to fully disclose and individually notify the affected data subjects. Likewise, the Commission directed them to provide the technical report of the incident from the third-party cyber security firm.