Privacy Commission: 3.3M Cashalo users’ personal data sold on dark web

The National Privacy Commission (NPC) on Tuesday alleged that the personal data of millions of online lending platform Cashalo’s customers was being sold on the “dark web.”

In a statement, the NPC said it did a preliminary probe on the data security issue after Cashalo notified it about the issue.

In a statement, Cashalo said its information technology (IT) security team found the potential data security incident involving a database archive on Thursday, February 18, when an individual claimed to have the database, which was taken from a non-production system used by the company. 

"This incident resulted in unauthorized access to a database archive that contained some personal data of Cashalo customers, including some combination of usernames, email, phone numbers, device ID, and encrypted passwords. Our encryption implementation ensured that no customer accounts or passwords were compromised," Cashalo said.

Citing its initial findings, the NPC said the alleged data-dumping on the dark web has been on different cyber forums since February 14, 2021.

“A certain user under ‘creepxploit’ sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on the dark web as shared in a post on cybleinc.com and RaidForums—even provided sample data for potential buyers,” the Privacy body said.

“Given the facts of the report, the user may have successfully downloaded files from the database of the application, for which is still up for selling as of writing, February 22, 2021,” it added.

Sought for clarification, Karun Arya, vice president for Corporate Affairs of Oriente, parent firm of Cashalo, said that “the information regarding someone selling this info is what our security team found, so both NPC and Cashalo are working off the same original information.”

In a statement posted on its website, however, Cashalo said, “Our encryption implementation ensured that no customer accounts or passwords were compromised.”

The NPC reached out to Cashalo through their Data Protection Officer to coordinate this incident and required them to provide additional information.

Likewise, Cashalo said it is currently conducting a thorough impact assessment with urgency to determine the nature and extent of data that has been potentially accessed.

The Privacy body said that it intends to do further monitoring and investigation in cooperation with the parties involved “upholding its mandate in protecting personal information of data subjects.”

The agency noted that “until we have completed the investigation and decision regarding Cashalo, we would like to refrain from providing further details, especially in the liabilities, as to not compromise the due process.”

Casho, meanwhile, said “as a precaution, we encourage customers to change their passwords.” — BM, GMA News