The National Privacy Commission (NPC) confirmed on Wednesday, Nov. 24, that it received an initial breach notification report last Nov. 15 at 4:47 PM from grocery store S&R concerning a cyber-attack that may have compromised its members’ personal data.
Rainier Milanes, chief of the compliance and monitoring division of the NPC, said S&R reported the discovery of the security incident last Nov. 14.
“The company submitted a supplemental breach report today, November 24, 2021, confirming that the subject of the ransomware attack was the S&R membership system affecting 22,000 data subjects,” Milanes, a lawyer, said in a statement.
According to the report, the following personal data were compromised:
- Date of birth
- Contact number
- Gender
Based on the S&R’s disclosure and confirmation from their data protection officer (DPO), credit cards and other financial information were not among the compromised personal data, Milanes added.
“They informed the Commission that they instituted measures to secure their system, recover compromised data, prevent further disclosure, and recurrence of similar attacks,” the NPC official said.
Milanes said the NPC has reiterated to S&R its obligation to fully disclose and individually notify the affected data subjects. “Likewise, the Commission directed them to provide the technical report of the incident from the third-party cyber security firm,” he added.
The breach incident has made the rounds online after social media personality Christian Albert “Xian” Gaza disclosed some information on the ransomware attack in a number of posts in his Facebook page.
