Statement of NPC on S&R data breach

The National Privacy Commission (NPC) received an initial breach notification report on November 15, 2021, 4:47 PM, from S&R Membership Shopping in relation to a cyber-attack that may have compromised its members’ contact information. The S&R said that it discovered the security incident last November 14, 2021.

The company has then submitted an supplemental breach report today, November 24, 2021, confirming that the subject of the ransomware attack was the S&R membership system affecting twenty-two thousand (22,000) data subjects. According to the said report, the following personal data were compromised:

– date of birth

– contact number

– gender

Based on the S&R’s disclosure and confirmation from their data protection officer (DPO), credit cards and other financial information were not among the compromised personal data.

They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks.

The NPC reiterated to S&R their obligation to fully disclose and individually notify the affected data subject. Likewise, the Commission directed them to provide the technical report of the incident from the third-party cyber security firm.

Chief, Compliance and Monitoring Division