NPC concludes probe into GCash, says no data breach found

The National Privacy Commission (NPC) on Thursday announced it has concluded its investigation into the alleged data leak involving G-Xchange Inc. (GCash), finding that no personal data breach occurred within the mobile wallet's systems.

On Monday, the NPC launched a probe after a post was made on the Dark Web by what the it described as a "threat actor," who used the alias "Oversleep8351," linking bank and virtual card accounts, and customer records containing names, addresses, employment details, and valid Philippine IDs. The same account was offering GCash account numbers to other users.

GCash has since denied claims and maintained that its systems remain secure.

The Department of Information and Communications Technology's Cybercrime Investigation and Coordinating Center (CICC) supported GCash's defense, saying that its own assessment found that data propagated online by the "threat actor" appear to be "recycled information," which could be an older or previously available data "reused or reshared to appear as newly compromised material."

"Further examination also shows that the datasets in question do not originate from GCash's systems," the CICC said.

The NPC, citing its probe, said GCash was ordered to submit technical documentation, preserve system logs, and appear in a clarificatory conference and live technical demonstration before the commission's Complaints and Investigation Division (NPC-CID).

The mobile wallet, the NPC said, complied with the order and submitted its written explanation, supporting materials, and participated in a clarificatory conference and live technical demonstration.

"Independent validation by the NPC-CID confirmed that the dataset circulating online was inconsistent with GCash's verified data structures," the NPC said.

"Several of the listed accounts were found to be invalid or inactive, and no indicators of unauthorized access, infiltration, or data exfiltration were detected within GCash's monitored environments," it added.

The privacy body said results of the live technical demonstration of GCash's system conducted on October 29, 2025 indicate that "no unauthorized access attempts were made to GCash/GXI's critical databases, including the database storing eKYC data."

The NPC further said the demonstration, which covered the period from January 1, 2025 to October 29, 2025, returned zero events, confirming that only pre-approved internal IP addresses interacted with the system. 

"This strongly indicates that no breaches, unauthorized access, infiltration, or exfiltration attempts occurred," the NPC said.

GCash on Wednesday reiterated that systems were not compromised and there has been no breach or leak of its customers' data. 

The mobile wallet said "all customer accounts and funds remain safe and secure."

Further, GCash said the post in question has since been deleted, "confirming assessments from both GCash and the Cybercrime Investigation and Coordinating Center (CICC) that the supposed leak was fake and involved recycled information from a previous, unrelated incident." — VDV, GMA Integrated News