After an extensive investigation, the National Privacy Commission (NPC) announced last May 24 that they’ve concluded that phishing attacks were behind the recent GCash fiasco involving unauthorized transactions that affected a number of users.

The NPC ruled out hacking as the cause after an independent verification and examination did confirm phishing attacks were behind the unauthorized GCash transactions.

“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” said NPC Commissioner John Henry D. Naga.

“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com’,” the commissioner added.

On May 9, the Complaints and Investigation Division (CID) of the NPC conducted an independent investigation to figure out the extent of the alleged unauthorized GCash transactions and to determine if there had been a compromise of the user’s personal data and other possible violations of the Data Privacy Act of 2012.

By May 12, 2023, the NPC had a clarificatory meeting with GCash operator G-Xchange, Inc., to gather their internal investigation and to outline the measures that needed to be taken to address the incident.

The NPC then raised their concerns and requested additional details and proof from G-Xchange so they can verify the company’s claims. G-Xchange complied by May 19.

Naga said that they have ordered G-Xchange to increase their user education and awareness campaign to prevent similar incidents from happening in the future.

“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” Naga said.

Leave a comment

Your email address will not be published. Required fields are marked *