The National Privacy Commission (NPC) on Wednesday said thousands of data subjects were affected by the recent cyber-attack on S&R Membership Shopping.
In a statement, the NPC said it received an initial breach notification from S&R on November 15, 2021 at 4:47 p.m. concerning a cyber-attack that may have compromised its members’ personal data.
The NPC said that the company discovered the breach on November 14, 2021.
The privacy body said that S&R then submitted a supplemental breach report on November 24, 2021 confirming that the subject of the ransomware attack was the company’s membership system affecting 22,000 data subject.
Citing the company’s report, the NPC said that the S&R members’ personal data such as date of birth, contact number, and gender were compromised.
“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said.
Earlier, S&R said that it became a target of a cyberattack but its “team immediately and decisively to implement our cybersecurity protocols that enabled us to resume our system operations.”
The company also said that “limited membership data, which are confined to contact information, may have been compromised” and its member’s financial information are safe and secured as “these data are protected by encryption measures as required by regulation.”
The NPC, nonetheless, directed S&R to provide a technical report of the incident from a third-party cyber security firm.
The agency also reminded the company of its obligation to fully disclose and individually notify the affected data subjects.
“They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.
The cyber-attack on S&R came amidst the influx of spam text messages recruiting subscribers to suspicious job offers with high salaries.
The NPC found, in its investigation, that a global organized syndicate is behind the influx of spam text messages.
The Privacy body also eased concerns that the spam messages might be due to leaks from contact tracing forms, saying there is no direct evidence showing such correlation. -NB, GMA News