22,000 Affected In S&R Ransomware Attack

Personal data of 22,000 shoppers of S&R Membership Shopping have been compromised in a ransomware attack, the National Privacy Commission (NPC) said on Wednesday, Nov. 24.

In a statement, Rainier Milanes, chief of compliance and monitoring division at NPC said the commission received a supplemental breach report from S&R on Wednesday confirming that the subject of the ransomware attack was the membership system affecting 22,000 data subjects.

“According to the said report, the following personal data were compromised: date of birth, contact number [and] gender,” he said.

He also said credit card and other financial information were not among the compromised data based on S&R’s disclosure and confirmation from their data protection officer.

The NPC received an initial breach notification report from S&R last Nov. 15.

Milanes said the security incident was discovered by S&R last Nov.14.

In an advisory to members dated Nov. 21 and posted on its Facebook page on Wednesday, S&R said it recently became the target of a cyber attack.

“Limited membership data, which are confined to contact information, may have been compromised,” S&R said.

“However, all our members’ credit card and other financial information are safe and secured, as these data are protected by encryption measures as required by regulation,” it added.

S&R also said it has informed the NPC of the incident. Milanes said S&R informed NPC of the measures that were implemented to secure the system, recover compromised data, prevent further disclosure, and the recurrence of similar attacks.

Following the cyber attack, S&R said it immediately took action through cybersecurity protocols, allowing the resumption of system operations.

“Our business was not affected, and we continue to deliver a convenient and fulfilling member-customers shopping experience,” S&R said.