MANILA, Philippines — The National Privacy Commission (NPC) has ordered an in-depth investigation of a potential personal data breach involving compromised accounts of the mobile application GCash.
In a statement released yesterday, the NPC said the investigation is in line with the glitch that occurred on May 10, which forced the temporary halt of GCash app operations.
“The NPC’s Complaints and Investigation Division (CID) has been closely monitoring this incident since May 9, 2023 amidst circulating reports of GCash users on suspicious transactions on their GCash accounts, to determine the existence of breach and its extent, and whether there are any other violation of the provisions of the Data Privacy Act of 2012,” the NPC said.
The NPC said it issued a notice to explain and an order addressed to G-Xchange, Inc. (GXI), the company managing GCash on May 10.
This ordered the company to appear before the NPC for a clarificatory meeting and to provide additional information and documents.
The said clarificatory meeting was held on May 12, where GXI presented information to the NPC about their investigation and the measures taken with dispatch to address the incident.
“The NPC will issue another order instructing GXI to provide further information and documents to enable an independent assessment and verify the claims presented by GXI on the supposed phishing being the cause of the glitch,” the NPC said.
Privacy Commissioner John Henry Naga assured the public that the NPC has made all necessary steps to protect the rights of GCash clients as data subjects.
“The NPC is committed to safeguard the privacy of all individuals and will continue to provide guidance on how the public can better protect themselves from violations of their data privacy rights, even as these threat actors are also becoming more sophisticated in the pursuit of their criminal design,” Naga said, stressing that the NPC will diligently exercise its powers under the law against any party found to be in violation of the Data Privacy Act.
As the country’s privacy watchdog, the NPC is an independent body mandated to administer and implement the Data Privacy Act of 2012 and to monitor and ensure compliance of the country with international standards set for data protection.