The National Privacy Commission (NPC) is investigating the alleged data breach involving G-Xchange, Inc., the operator of GCash.
Reports of the data leak allegedly involving GCash surfaced online on Oct. 25.
“The NPC has immediately launched an investigation after a dark web post appeared claiming to sell user information,” the NPC said in a statement Monday.
The NPC said the post, made by a threat actor using the alias “Oversleep8351,” allegedly offers merchant and basic user data, GCash account numbers, linked bank and virtual card accounts, and KYC (Know Your Customer) records containing names, addresses, employment details, and valid Philippine identification cards.
The NPC’s Complaints and Investigation Division issued a Notice to Explain (NTE) to G-Xchange, Inc. to obtain further details about the alleged incident.
An online clarificatory conference has also been scheduled to facilitate a more detailed discussion of the matter.
“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” the NPC said.
The NPC urged GCash users to actively monitor their accounts, enable additional security features to protect their information, and remain alert to phishing attempts and refrain from sharing personal or sensitive data while the investigation is ongoing.
In a separate statement on Monday, GCash denied the alleged data leak.
“GCash is aware of an online post alleging that user information is being sold on the dark web. The security and privacy of our users remain our highest priority. We take these allegations seriously and immediately launched an investigation with our cybersecurity experts and relevant authorities to verify the authenticity of these claims,” it said.
According to GCash, initial findings showed that the alleged dataset does not match the data structure used within GCash systems.
“Further analysis reveals that it includes individuals who are not GCash users, and that many entries appear incomplete, inconsistent, or invalid. These findings strongly indicate that the material being circulated did not originate from GCash,” GCash said.
“At this time, there is no evidence of any breach in GCash systems. All customer accounts and funds remain secure.”
GCash assured that it is working closely with the Bangko Sentral ng Pilipinas, the NPC, and the Cybercrime Investigation and Coordinating Center to validate information from all possible sources and ensure that its systems remain protected.
It also urged users to remain vigilant and to report any suspicious activity only through official GCash channels. (PNA)
