The National Privacy Commission (NPC) has officially concluded that no data breach occurred in the systems of G-Xchange Inc. (GXI), the operator of GCash, following a thorough technical investigation into reports of a massive data leak allegedly involving millions of user accounts.
In a press statement on Thursday, October 30, the NPC said its investigation found “no sufficient basis to conclude that a personal data breach occurred within GCash.”
The probe began immediately after the commission discovered reports of a dataset allegedly containing GCash user information being offered on a dark Web forum.
On October 27, the NPC issued an order directing GXI to submit technical documentation, preserve system logs, and participate in a clarificatory conference and live technical demonstration before the NPC’s Complaints and Investigation Division (NPC-CID).
GXI complied with the order, providing written explanations and technical materials for independent validation. The NPC-CID’s forensic analysis revealed that the dataset circulating online was inconsistent with GCash’s verified data structures, with several accounts found to be invalid or inactive.
Crucially, the NPC-CID detected no signs of unauthorized access, infiltration, or data exfiltration within GCash’s monitored environments.
During a live technical demonstration held on October 29, the NPC examined GCash’s critical databases, including those storing electronic Know-Your-Customer (eKYC) data, covering the period from January 1 to October 29, 2025.
The results showed zero incidents of unauthorized access, confirming that only pre-approved internal IP addresses had interacted with the system.
“This strongly indicates that no breaches, unauthorized access, infiltration, or exfiltration attempts occurred,” the NPC said.
The privacy body reaffirmed its commitment to act “promptly and independently” on all alleged data breach reports to protect the rights of Filipino data subjects.
It also stressed that it will continue to work closely with regulated entities to ensure compliance with the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
The NPC also issued a warning to individuals and groups engaged in the unauthorized access, sale, or distribution of personal data, noting that such acts are punishable under Philippine law.
“The public is encouraged to remain cautious and to report any suspected personal data breaches or privacy violations to the NPC,” the commission said.
The NPC’s conclusion aligns with the Cybercrime Investigation and Coordinating Center (CICC), whose early findings also showed no evidence of a GCash system compromise.
The CICC said the data that surfaced online appeared to be recycled or previously exposed information and not the result of a new breach.
Both agencies’ findings reinforce that GCash’s systems remain uncompromised, despite widespread concerns following dark Web claims of leaked data.
