Source: site
The National Privacy Commission (NPC) concluded its investigation into an alleged GCash data leak, finding that no personal data breach occurred within the mobile wallet’s systems.
The NPC launched an inquiry following reports that a dataset allegedly belonging to GCash was being offered on a deep web forum.
After directing G-Xchange Inc., the operator of GCash, to submit technical documentation, preserve system logs and participate in a technical demonstration, the NPC’s Complaints and Investigation Division (NPC-CID) conducted an independent validation.
The NPC said the dataset circulating online was inconsistent with GCash’s verified data structures.
Several listed accounts were found to be invalid or inactive, and no indicators of unauthorized access, infiltration or data exfiltration were detected within GCash’s monitored environments.
A live technical demonstration of the GCash system, which covered the period from Jan. 1, 2025 to Oct. 29, 2025, confirmed that no unauthorized access attempts were made to critical databases, including the one storing electronic Know-Your-Customer (eKYC) data.
The demonstration returned zero events, confirming that only pre-approved internal IP addresses interacted with the system, strongly indicating that no breaches occurred.
The NPC reiterated its commitment to monitoring threats to personal data and working closely with regulated entities to ensure compliance with the Data Privacy Act of 2012 (DPA) and its implementing rules and regulations.
The commission also issued a warning to individuals and groups engaging in the unauthorized access, sale or distribution of personal data, stressing that such acts are clear violations of the DPA and punishable under the law.
It encouraged the public to remain cautious and report any suspected personal data breaches or privacy violations to the NPC.
Upcoming Events
