NPC probes alleged GCash data leak; firm says systems remain secure

The National Privacy Commission (NPC) has launched an investigation into the alleged data breach involving GCash operator G-Xchange Inc., which has denied such claims and maintained that its systems remain secure.

In a statement released Monday, the NPC — tasked to ensure the Philippines’ compliance with international data standards — said its Complaints and Investigation Division has already issued G-Xchange Inc. a notice to explain to obtain further details on the alleged incident.

This comes after a post was made on the dark web by what the NPC described as a “threat actor” using the alias “Oversleep8351,” who was offering GCash account numbers, linked bank and virtual card accounts, and know your customer records containing names, addresses, employment details, and valid Philippine IDs.

“As of 10:30 a.m. on 27 October 2025, the NPC has not received any official data breach notification from the company,” the NPC said.

“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” it added.

The NPC has since urged GCash users to actively monitor their accounts and regularly update their MPINs and passwords, and enable additional security features to protect their information. It also urged the public to remain alert to phishing attempts, and refrain from sharing personal or sensitive data.

For its part, GCash said it also launched its own investigation with its cybersecurity experts and relevant authorities to verify the authenticity of the claims, with initial forensic analysis showing that there was no compromise in its systems.

“Initial findings show that the alleged dataset does not match the data structure used within GCash systems. Further analysis reveals that it includes individuals who are not GCash users, and that many entries appear incomplete, inconsistent, or invalid. These findings strongly indicate that the material circulated did not originate from GCash,” it said.

“At this time, there is no evidence of any breach in GCash systems. All customer accounts and funds remain secure,” it added.

Moving forward, GCash said it will continue to coordinate with the NPC, the Bangko Sentral ng Pilipinas (BSP), and the Cybercrime Investigation and Coordinating Center (CICC) to validate information from all possible sources and ensure that systems remain protected.

It has also urged users to remain vigilant, and report any suspicious activity through official channels.—AOL, GMA Integrated News