The National Privacy Commission (NPC) has cleared G-Xchange, Inc. (GCash) of any data breach after a probe into a supposed leak on the dark web found no evidence of unauthorized access or data theft.
The privacy watchdog said Thursday that it immediately launched an investigation after reports surfaced about a dataset allegedly containing GCash user information being offered online.
Early this week, the NPC ordered G-Xchange to submit technical documentation, preserve system logs, and attend a clarificatory conference and live technical demonstration before its Complaints and Investigation Division (NPC-CID).
Following the order, GCash submitted a written explanation and supporting materials, and participated in the clarificatory conference and live technical demonstration under NPC-CID supervision.
Independent validation by the NPC-CID confirmed that the dataset circulating online was inconsistent with GCash’s verified data structures.
Several listed accounts were found to be invalid or inactive, and no indicators of unauthorized access, infiltration, or data exfiltration were detected within GCash’s monitored environments.
The results of the live technical demonstration conducted on Wednesday also showed that no unauthorized access attempts were made to GCash’s critical databases, including those storing electronic Know Your Customer (e-KYC) data.
The review covered the period from the start of the year to 29 October and returned zero events, confirming that only pre-approved internal IP addresses interacted with the system.
“This strongly indicates that no breaches, unauthorized access, infiltration, or exfiltration attempts occurred,” the NPC said.
The agency also warned that “individuals and groups engaging in the unauthorized access, sale, or distribution of personal data… constitute clear violations of the DPA and are punishable under the law.”