NPC report: GCash incident due to phishing attacks

MANILA, Philippines — The National Privacy Commission concluded that the security breach faced by digital wallet giant GCash came from phishing attacks, which showed some measure of sophistication by utilizing online gambling sites.

In a statement, the privacy watchdog indicated its Complaints and Investigation Division mounted an independent investigation surrounding the alleged unauthorized transactions within the platform.

Days before releasing a statement by initiating maintenance activities on May 9, users of the Ayala-backed fintech platform trooped to social media to air their frustration, as some allegedly reported unauthorized transactions that funnelled their money from the digital wallet to certain bank accounts affiliated with East West Bank and Asia United Bank. 

GCash granted limited access to its platform hours after its scheduled maintenance.

"Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as 'Philwin' and 'tapwin1.com'," said NPC commissioner John Henry Naga.

The investigation sought to clarify whether the security breach compromised personal data, possibly violating the Data Privacy Act of 2012.

Come May 12, the privacy watchdog indicated they held a meeting with a subsidiary of Globe’s fintech segment, G-Xchange, Inc. Seven days later, the company complied with NPC’s requests to provide additional data. 

“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information,” NPC added. — Ramon Royandoyan