National Privacy Commission steps up probe of GCash fiasco

Composite photo of cellphone and GCash logo. STORY: National Privacy Commission steps up probe of GCash fiasco

INQUIRER FILE PHOTO

MANILA, Philippines — The National Privacy Commission (NPC) on Saturday ordered an in-depth investigation into a potential personal data breach at GCash, the popular digital payments platform of Globe Telecom Inc., amid recent reports of unauthorized account deductions and longer-than-usual downtimes that inconvenienced many users.

The NPC’s Complaints and Investigation Division has been closely monitoring the incident at GCash since May 9, when reports on social media citing suspicious transactions in the mobile app began to pile up.

“The NPC is committed to safeguard the privacy of all individuals and will continue to provide guidance on how the public can better protect themselves from violations of their data privacy rights, even as these threat actors are also becoming more sophisticated in the pursuit of their criminal design,” NPC Chief Commissioner John Henry Naga said in a statement.

“The NPC will diligently exercise its powers under the law against any party found to be in violation of the Data Privacy Act,” he added.

Telco points to users

The NPC said they would issue another order instructing G-Xchange Inc. (GXI), the company managing GCash, to provide further information and documents to allow an independent assessment and verify GXI’s claims that phishing incidents instead of hacking led to the suspicious transactions reported by some users.

GCash indeed maintained that no hacking was involved in the surge of complaints last Tuesday but that there was a deliberate phishing attempt, a fraudulent activity whereby hackers trick victims into providing their personal information, such as contact details. Getting hold of this information can allow hackers to take over one’s account.

“Some users may have unknowingly shared their information to suspicious sites masked as legitimate brands or institutions,” GCash said in a statement on Saturday.

“Upon detection of these unusual transactions, GCash immediately activated security protocols and deployed preventative security measures,” it added.

The financial technology player placed the popular app under maintenance check. It was able to restore the original account balances within 24 hours.

Bomb threat

“We remain steadfast in ensuring the protection of our customers’ funds and data as we continue to invest in the latest cybersecurity technologies and capabilities,” GCash said.

It added that it would continue to coordinate closely with the NPC and the Bangko Sentral ng Pilipinas following the reports of unauthorized transactions on its platform.

Meanwhile, the bomb threat that paralyzed the afternoon operations of the NPC on Friday turned out to be a hoax, according to the Pasay City police.

After a thorough search of the entire five-story building of the Philippine International Convention Center (PICC) and its immediate vicinity using an explosive detection dog from the Regional Explosive Canine Unit, “no explosive or destructive material or substance was found during the paneling,” it said in its report on Friday evening.

The paneling — the search for explosives or explosive devices — was completed at 4:49 p.m., more than four hours after police responded.

The case has been referred to the Pasay City Police Station Investigation and Detective Management Branch to probe the liability of the user who posted the bomb threat on NPC’s official Facebook page.

“The Pasay City Police Station assures the public that they are continuously monitoring the situation to ensure everyone’s safety and security,” it added.

According to the investigation, members of the Special Weapon and Tactical Unit-Explosive and Ordnance Disposal immediately responded after receiving a call from the PICC security manager about an alleged bomb threat around 12:20 p.m.

Facebook post

The bomb scare erupted when a certain Angelo Iglesias commented on a July 12, 2022, post of the NPC.

“Time bomb set on your building starts now,” he wrote at 11:18 a.m. on Friday.

The NPC then was about to end its virtual meeting with GCash representatives.

According to the commission, it already coordinated with the Cybercrime Investigation and Coordinating Center to investigate the person who posted the bomb threat on its Facebook page.

“We do not have any information yet regarding the individual’s intention or whether the threat is related to any case that NPC handles,” the agency said.

—WITH A REPORT FROM DEXTER CABALZA

RELATED STORIES

DICT conducts own probe on GCash incident

GCash: E-wallets of users affected by transaction disruption adjusted

Cybertheft hits GCash; P37-M transfers flagged

Read more...