Online lending firm Cashalo issued a statement on Saturday, Feb. 20, saying its “IT security team discovered a potential data security incident involving a Cashalo-only database archive”.
The statement comes after the National Privacy Commission (NPC) released an advisory on Friday, Feb. 19, that it is investigating the online selling of personal data of Cashalo customers.
Launched in 2018 in the Philippines, Cashalo is fully-owned by Hong Kong-based group Oriente. Local conglomerate JG Summit used to hold a minority stake in the company but is now only a strategic partner.
In its statement, Cashalo said the leak came from “an individual [who] claimed to be in possession of a Cashalo customer database taken from a non-production system used by the company.”
This incident, it said, resulted in unauthorized access to a database archive that contained some personal data of Cashalo customers, including some combination of usernames, email, phone numbers, device ID, and encrypted passwords.
The lending firm said it has since taken the system offline and activated investigations and is now working closely with cybersecurity experts and the relevant authorities, including the NPC.
“Our encryption implementation ensured that no customer accounts or passwords were compromised. Protecting the data and privacy of our users is of utmost importance to us,” it said.
Cashalo said it is “currently conducting a thorough impact assessment with urgency to determine the nature and extent of data that has been potentially accessed.”
“We are notifying affected individuals about this incident consistent with our goal of being transparent. Our priority is to work directly with stakeholders to provide support and help them manage any potential risks,” it said.