Cyber Incident Victim: S&R Membership Shopping
Date:
Nov 2021
Location:
Philippines
Summary
A cyber attack targeting S&R Membership Shopping compromised personal data belonging to 22,000 members. The organization discovered the security incident and promptly notified the National Privacy Commission, later submitting a supplemental breach report. Unauthorized access to member information occurred during the breach, and the company's web server remained offline following the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On November 14, 2021, S&R Membership Shopping discovered a cybersecurity incident that compromised its members' personal data. The company promptly notified the National Privacy Commission (NPC) of the Philippines through a breach report submitted on November 15, 2021. This initial notification indicated the attack potentially exposed sensitive member information, though specific technical details about the attack vector or intrusion methods were not publicly disclosed. S&R subsequently provided a supplemental breach report to the NPC on November 24, 2021, suggesting an ongoing internal investigation to assess the full scope of the incident. The NPC publicly confirmed the breach on November 24, verifying that approximately 22,000 members were affected by the data compromise. At the time of the Manila Bulletin's reporting referenced in the article, S&R's web server remained offline, indicating potential operational disruptions resulting from the attack or subsequent containment measures.
The confirmed impact involved unauthorized access to personal data belonging to S&R's membership base, though the specific categories of compromised data (such as names, contact details, or financial information) were not detailed in available reports. The NPC's public acknowledgment served as the primary verification of the incident's scale, emphasizing the exposure of 22,000 individuals' records. No information was disclosed regarding whether attackers exfiltrated data, deployed ransomware, or made explicit demands. S&R's breach reports to the NPC fulfilled regulatory obligations under Philippine data protection laws, but the company did not release public statements detailing remediation steps for affected members, such as credit monitoring or password resets. The web server outage observed following the incident suggested potential efforts to isolate systems, though the duration and effectiveness of this measure were not specified. The NPC's role remained confined to receiving mandatory notifications and publicly confirming the breach's occurrence and basic scope.