Unauthorized GCash transactions caused by phishing attack – NPC

MANILA, Philippines - The recent security breach which affected some GCash users was a result of phishing attacks, according to the National Privacy Commission (NPC).

In a statement yesterday, the NPC said it has concluded its extensive investigation into the reported unauthorized transactions involving multiple GCash accounts.

After careful examination and independent verification of the incident, the NPC was able to confirm that the security breach was due to phishing attacks.

“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” Privacy Commissioner John Henry Naga said.

“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com,’” Naga added.

The NPC’s Complaints and Investigation Division initiated an independent investigation on May 9, to ascertain the extent of the alleged unauthorized transactions and determine if there is a possible compromise of personal data and other potential violations of the Data Privacy Act of 2012. On May 12, the NPC held a clarificatory meeting with G-Xchange Inc. (GXI), providing information gathered from their internal investigation and outlining the measures taken to address the incident.

During the meeting, the NPC raised concerns and requested additional information and proof from GXI to enable the conduct of an independent assessment and verify the company’s claims.

Subsequently, on May 19, GXI submitted its compliance with the orders issued by the NPC.

“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” Naga said.

“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information.

We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act,” he said.

The NPC said it remains committed to promoting a safe and secure digital environment for all Filipinos and urges everyone to remain vigilant against phishing attacks that would compromise their personal information.–  Rainier Allan Ronda