MANILA – The National Privacy Commission on Wednesday said S&R Membership Shopping informed it this afternoon of the extent of the data compromised in the recent cyber-attack on the company.
The NPC said that based on the initial breach notification submitted by S&R on Nov. 15, the company discovered the security incident on Nov. 14.
The privacy watchdog said S&R informed it in a supplemental breach report on Wednesday afternoon that “the subject of the ransomware attack was the S&R membership system affecting 22,000 data subjects.”
A ransomware attack encrypts the files of a victim, making them inaccessible. A ransom is then demanded to restore access to the data.
Data on S&R members’ date of birth, contact number, and gender, “were compromised”, NPC said.
Earlier today, S&R said “limited membership data, which are confined to contact information may have been compromised in a recent cyber attack.”
But the company assured members that credit card and other financial information “are safe and secured” and are covered by encryption measures.
The NPC said S&R has told the agency that it has instituted measures to secure the company’s system, recover compromised data, prevent further disclorsure and the recurrence of similar attacks.
In a statement, S&R said it has already informed its members directly, reassuring them that no credit card details and other financial information have been compromised.
ICT rights advocate Pierre Tito Galla said S&R members whose data was affected should be on guard for potential identity theft.
“In this case, kung may na-involve na contact information, yung risk includes potential identity theft,” Galla said.
(In this case, if contact information is involved, the risk includes potential identity theft.)
– With a report from Warren de Guzman, ABS-CBN News