NATIONAL
Advocates Philippines
NPC: Phishing Attacks Confirmed As Cause Of Unauthorized GCash Transactions
The National Privacy Commission (NPC) has completed its investigation into unauthorized transactions on several GCash accounts, revealing that the security breach occurred due to "phishing" attacks.
Privacy Commissioner John Henry D. Naga announced the findings, stating, "Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme."
He explained that unknown threat actors exploited vulnerable GCash users by initiating the phishing scheme through online gambling websites such as 'Philwin' and 'tapwin1.com.'
The investigation was initiated on May 9, by the NPC's Complaints and Investigation Division (CID).
Their objective was to assess the extent of the alleged unauthorized transactions and determine if there was a compromise of personal data or other potential violations of the Data Privacy Act of 2012.
On May 12, the NPC conducted a clarificatory meeting with G-Xchange, Inc. (GXI), the company behind GCash.
During the meeting, GXI provided information gathered from their internal investigation and outlined the measures taken to address the incident.
The NPC raised concerns and requested additional information and evidence from GXI to facilitate an independent assessment and verify the company's claims.
Subsequently, on May 19, GXI submitted its compliance with the orders issued by the NPC. The company was directed to enhance its education and awareness campaign to prevent similar incidents in the future.
"We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information," Privacy Commissioner Naga affirmed. "We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012."
Privacy Commissioner John Henry D. Naga announced the findings, stating, "Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme."
He explained that unknown threat actors exploited vulnerable GCash users by initiating the phishing scheme through online gambling websites such as 'Philwin' and 'tapwin1.com.'
The investigation was initiated on May 9, by the NPC's Complaints and Investigation Division (CID).
Their objective was to assess the extent of the alleged unauthorized transactions and determine if there was a compromise of personal data or other potential violations of the Data Privacy Act of 2012.
On May 12, the NPC conducted a clarificatory meeting with G-Xchange, Inc. (GXI), the company behind GCash.
During the meeting, GXI provided information gathered from their internal investigation and outlined the measures taken to address the incident.
The NPC raised concerns and requested additional information and evidence from GXI to facilitate an independent assessment and verify the company's claims.
Subsequently, on May 19, GXI submitted its compliance with the orders issued by the NPC. The company was directed to enhance its education and awareness campaign to prevent similar incidents in the future.
"We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information," Privacy Commissioner Naga affirmed. "We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012."
May 25, 2023
