Around 22,000 members of S&R have been affected after the company's membership system was hit by a ransomware attack, according to the National Privacy Commission (NPC) on Wednesday.
S&R submitted a report to the NPC on Wednesday, according to the privacy watchdog, stating that its members' personal data, such as date of birth, contact number, and gender, were compromised.
Credit cards and other financial information, however, were not affected, said to the NPC, citing S&R's data protection officer.
The incident was discovered on November 14, with the initial breach notification report submitted on November 15.
On Wednesday, S&R posted on Facebook about the incident, where it said its team "immediately and decisively" implemented the company's cybersecurity protocols.
"Our business was not affected, and we continue to deliver a convenient and fulfilling member-customers shopping experience," it said in a statement.
It added that it condemns the incident, and measures are being implemented to further secure their systems.
"We strongly condemn these criminal acts perpetuated against private companies and we are treating this matter very seriously," the company said.
"Rest assured that we are implementing measures to further reinforce the security of our IT system."
The NPC, meanwhile, said it already directed S&R to provide a technical report of the incident from a third-party cyber security firm.
