NPC probes alleged data leak on dark web

The National Privacy Commission (NPC) has launched an investigation into an alleged data breach involving G-Xchange Inc., the operator of the mobile wallet service GCash, after reports of user data being sold on the dark web surfaced online last week.

In a statement on Monday, 27 October, the NPC said it acted swiftly following the appearance of a post by a threat actor using the alias “Oversleep8351” on 25 October. The post allegedly offered to sell GCash user information, including merchant and account details, linked bank and virtual card data, and Know Your Customer (KYC) records containing names, addresses, employment information, and valid Philippine identification cards.

“The NPC has immediately launched an investigation after a dark web post appeared claiming to sell user information,” the commission said.

The NPC’s Complaints and Investigation Division has issued a Notice to Explain (NTE) to G-Xchange, Inc. to obtain further details and scheduled an online clarificatory conference to discuss the matter in depth.

“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” the agency added.

The commission also urged GCash users to closely monitor their accounts, enable additional security measures, and remain alert against phishing attempts or suspicious messages while the probe is ongoing.

GCash: ‘No evidence of breach’

In a separate statement, GCash denied that a data leak occurred, assuring users that their accounts and funds remain secure.

“GCash is aware of an online post alleging that user information is being sold on the dark web. The security and privacy of our users remain our highest priority,” the company said.

GCash said an internal investigation conducted with its cybersecurity experts and relevant authorities found that the alleged dataset does not match the data structure used within its systems.

“Further analysis reveals that it includes individuals who are not GCash users, and that many entries appear incomplete, inconsistent, or invalid. These findings strongly indicate that the material being circulated did not originate from GCash,” the company explained.

The firm also said it is working closely with the Bangko Sentral ng Pilipinas (BSP), the NPC, and the Cybercrime Investigation and Coordinating Center (CICC) to validate the claims and ensure that its systems remain protected.

GCash reminded users to stay vigilant and report any suspicious activity through official GCash channels only.