Privacy body investigating potential GCash data breach

The National Privacy Commission (NPC) is looking into the recent reports of unauthorized fund transfers that affected GCash users, citing a "potential personal data breach" involving compromised accounts on the mobile application.

The NPC issued the statement following the May 9 temporary system downtime of GCash to investigate the reported unauthorized fund transfers.

The mobile wallet, however, said no hacking took place.

“The NPC’s Complaints and Investigation Division (CID) has been closely monitoring this incident since May 9, 2023 amidst circulating reports of GCash users on suspicious transactions on their GCash accounts, to determine the existence of breach and its extent, and whether there are any other violation of the provisions of the Data Privacy Act of 2012,” the privacy body said.

The NPC said it issued a notice to explain and an order addressed to G-Xchange, Inc. (GXI) —the operator of GCash— requiring the company to appear before the commission for a clarificatory meeting and to provide additional information and documents.

“The clarificatory meeting was held on May 12, 2023, wherein GXI presented information to the NPC about their investigation and the measures taken with dispatch to address the incident,” it said.

“The NPC will issue another Order instructing GXI to provide further information and documents to enable an independent assessment and verify the claims presented by GXI on the supposed phishing being the cause of the glitch,” it said.

'Constant coordination'

In a statement, GCash said they have been in "constant coordination" with the authorities, the Bangko Sentral ng Pilipinas (BSP), and the NPC in providing the necessary information.

GCash also reiterated that no hacking or glitch occurred on the GCash platform in connection with the May 9 incident.

It said the incident “was a deliberate phishing attempt that happened outside of the GCash app.”

“Some users may have unknowingly shared their information [with] suspicious sites [masquerading] as legitimate brands or institutions. Upon detection of these unusual transactions, GCash immediately activated security protocols, and deployed its preventive security measures. This swift action enabled us to mitigate the impact [on] our customers, which [is] why we were able to correct their e-wallet balances immediately within 24 hours,” GCash said.

“We placed the app on extended preventive maintenance in order to ensure we'd exerted all means necessary to mitigate the impact of this incident.”

GCash said it remains steadfast in ensuring the protection of its customers' funds and data “as we continue to invest in the latest cybersecurity technologies and capabilities.”

“We enjoin the NPC [to reinforce] efforts to educate everyone on the importance of being vigilant in securing their personal information,” it said.

“We will not stop working with the authorities as we endeavor to eliminate fraudsters as our common enemy.”

Privacy Commissioner and Chairman John Henry Naga assured the public that all necessary steps have been taken by the NPC to protect the rights of GCash clients as data subjects.

"The NPC is committed to safeguard the privacy of all individuals and will continue to provide guidance on how the public can better protect themselves from violations of their data privacy rights, even as these threat actors are also becoming more sophisticated in the pursuit of their criminal design," said Naga.

“The NPC will diligently exercise its powers under the law against any party found to be in violation of the Data Privacy Act,” added the Privacy chief.

The BSP is also investigating reports of unauthorized fund transfers involving GCash accounts. 

Funds from GCash accounts were reported to have been transferred to accounts under Asia United Bank (AUB) and East West Banking Corp., with both banks now conducting their own investigations into the matter.

Another temporary downtime 

Meanwhile, GCash experienced another temporary downtime on Saturday.

It apologized for the incident after some users expressed their concerns on social media.

"We apologize for the temporary downtime," it said on Twitter, adding that services had been restored.

The mobile wallet also said that the funds of its users were "safe." —with Richa Noriega/KG/VBL, GMA Integrated News