GCash breach due to phishing via gambling sites, says NPC

The recent unauthorized fund transfers that affected GCash users was due to a “meticulous phishing” scheme through online gambling sites, the National Privacy Commission said as it concluded its probe on the data breach which affected the fintech.

In a statement, NPC said it “has concluded its extensive investigation into the reported unauthorized transactions involving multiple GCash accounts.”

“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” said Privacy Commissioner John Henry Naga.

Naga said unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites.

GMA News Online has reached out to GCash for a comment on the commission's findings.

On May 9, a temporary system downtime was implemented by GCash as it investigated the reported unauthorized fund transfers.

The mobile wallet said no hacking took place.

GCash also pointed to “sophisticated phishing,” saying more than 1,000 GCash accounts out of 81 million subscribers have been affected.

It said the incident was isolated and that there were no glitches in the system

The NPC said its Complaints and Investigation Division (CID) conducted

an independent investigation to ascertain the extent of the alleged unauthorized transactions and determine if there is a possible compromise of personal data and other potential violations of the Data Privacy Act of 2012.

The Privacy body held a clarificatory meeting with GCash on May 12, during which the latter provided information gathered from its internal investigation and outlined the measures taken to address the incident.

The NPC said it raised concerns and requested additional information and proof from GCash to enable the conduct of an independent assessment and verify the company's claims.

On May 19, the fintech submitted its compliance with the orders issued by the NPC.

"We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” said Naga.

“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” said the Privacy chief.

The NPC said it is committed to promoting a safe and secure digital environment for all Filipinos and urges everyone to remain vigilant against phishing attacks that would compromise their personal information. —NB, GMA Integrated News