Privacy body probes alleged GCash data leak

Metro Manila, Philippines - The National Privacy Commission said it has launched an investigation on reports of a data leak in G-Xchange Inc., the operator of e-wallet GCash, a claim denied by the company on Monday, Oct. 27.

The NPC mounted the probe following a post by a user under the alias, “Oversleep8351,” on Sunday, Oct. 26, that claimed to sell user information on the dark web.

The information included merchant and user data, GCash account numbers, linked bank and virtual accounts, and know your customer (KYC) records that contained names, addresses, employment details, and valid Philippine identification cards.

The NPC’s complaints and division investigation had already issued a notice to explain to the e-wallet operator for further details about the alleged incident. The agency said it has yet to receive a data breach notification from the company.

In an advisory, GCash said there is no evidence of any data breach on its systems, and that all accounts and funds remain secure.

It said the investigation conducted by its cybersecurity experts showed that the alleged compromised dataset did not match the data from GCash systems, and many entries were incomplete, invalid, or do not belong to GCash users.

“These findings strongly indicate that the data being circulated did not originate from GCash,” the company said.

It said it is working closely with the NPC, the Bangko Sentral ng Pilipinas, and the Cybercrime Investigation and Coordinating Center to monitor and validate information from all possible sources and ensure the protection of its systems.

The NPC warned users to monitor their accounts, update their MPINs and passwords, and enable security features to protect their data.

It also reminded users to remain on alert against phishing attempts and refrain from sharing personal or sensitive data pending the investigation.

NewsWatch Plus Intern Jhon Paul "PJ" De Vera contributed to this report.