The National Privacy Commission (NPC) on Wednesday, May 24, said its “extensive” investigation has concluded that “phishing” attacks were the main cause of the reported unauthorized transactions involving multiple GCash accounts earlier this month.
The privacy body ruled out hacking as the cause of the cash transfers after an examination and independent verification confirmed that the security breach resulted from the utilization of “phishing’ attacks”.
“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” stated by privacy commissioner John Henry D. Naga.
“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com’,” Naga added.
Bangko Sentral ng Pilipinas (BSP) governor Felipe Medalla earlier told the media in an interview in Cebu City that GCash had already reimbursed from its own funds the money taken by the scammers, although it has not publicly acknowledged that a phishing attack had transpired on the e-wallets of GCash users.
Initiated on May 9, the NPC’s Complaints and Investigation Division (CID) conducted an independent investigation to ascertain the extent of the alleged unauthorized transactions and determine if there is a possible compromise of personal data and other potential violations of the Data Privacy Act of 2012.
On May 12, 2023, the NPC held a clarificatory meeting with G-Xchange, Inc. (GXI), the operator of GCash, providing information gathered from their internal investigation and outlining the measures taken to address the incident.
The NPC raised concerns and requested additional information and proof from GXI to enable the conduct of an independent assessment and verify the company’s claims.
Subsequently, on May 19, 2023, GXI submitted its compliance with the orders issued by the NPC.
“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” Naga disclosed.
“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” Naga said.