The country’s leading super-app, GCash, maintained that there is no evidence of a data breach that happened on Monday, assuring that customers’ funds and information remain safe and secure.
“GCash is aware of an online post alleging that user information is being sold on the dark web. There is no evidence of any breach in GCash systems. All customer accounts and funds remain secure. Upon swift investigation of our cybersecurity experts, the alleged dataset does not match data from GCash systems. Additionally, many entries are incomplete, invalid, or do not belong to GCash users,” GCash said in a statement.
The fintech giant further stressed that these findings strongly indicate that the data being circulated did not originate from GCash.
“We continue to work closely with the BSP, NPC, and CICC to monitor and validate information from all possible sources and ensure that our systems remain protected. GCash remains fully committed to safeguarding customer data, strengthening our defenses, and upholding the trust of millions of Filipinos,” it said.
Meanwhile, the National Privacy Commission (NPC) on Monday urged the public to exercise heightened vigilance following reports of a data leak allegedly involving G-Xchange, Inc., operator of GCash.
The privacy watchdog disclosed that it immediately launched an investigation after a dark web post appeared claiming to sell user information.
“The post, made by a threat actor using the alias ‘Oversleep8351,’ allegedly offers merchant and basic user data, GCash account numbers, linked bank and virtual card accounts, and KYC (Know Your Customer) records containing names, addresses, employment details, and valid Philippine IDs,” the NPC said.
Following this, the NPC’s Complaints and Investigation Division issued a Notice to Explain (NTE) to G-Xchange, Inc. to obtain further details about the alleged incident.
“An online clarificatory conference has also been scheduled to facilitate a more detailed discussion of the matter. As of 10:30 a.m. on 27 October 2025, the NPC has not received any official data breach notification from the company. Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” the NPC explained.
With this, the agency advised GCash users to actively monitor their accounts, regularly update their MPINs and passwords, and enable additional security features to protect their information.
“They must also remain alert to phishing attempts and refrain from sharing personal or sensitive data while the investigation is ongoing. The NPC will issue verified updates as soon as more information becomes available. In the meantime, the public is advised to exercise caution and refrain from engaging with or sharing unverified claims circulating online,” the NPC said.