Thousands of data subjects were harmed by the recent cyber-attack on S&R Membership Shopping, according to the National Privacy Commission (NPC). The NPC said in a statement that it got an initial breach report from S&R on November 15, 2021, at 4:47 p.m. regarding a cyber-attack that may have affected the personal data of its members. The breach was found on November 14, 2021, according to the NPC.
S&R is a membership-based shopping club modeled after the American warehouse membership shopping chains. The basic idea is to provide significant value to member-customers through a system that is based on aggressive buying, low-cost distribution, and streamlined operations.
S&R Pricemart was founded in 2001 as a joint venture with PriceSmart of the United States. Sol and Robert Price, two American businessmen, are known as "S&R." Since the enactment of the Retail Trade Act of 2000, which liberalized the retail sector, PriceSmart was the first big international retailer to enter the Philippine market. The retail chain was rebranded S&R Member Shopping after PriceSmart lost its share in the joint venture in 2005 and was purchased by the Co family in 2006.
S&R submitted a second breach report on November 24, 2021, indicating that the ransomware assault targeted the company's membership system, affecting 22,000 data subjects, according to the privacy body. The NPC cited the company's report as evidence that the S&R members' personal information, including date of birth, phone number, and gender, had been compromised.
“Based on the S&R’s disclosure and confirmation from their data protection officer, credit cards and other financial information were not among the compromised personal data,” the Privacy body said. S&R had previously stated that it had been the victim of a cyberattack, but that its "staff quickly and decisively implemented our cybersecurity protocols, allowing us to restart our system operations."
Despite this, the NPC ordered S&R to give a technical report on the event from a third-party cyber security company. The corporation was also reminded of its need to properly disclose and individually notify any affected data subjects, according to the agency. “They (S&R) informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC said.