National Privacy Commission: GCash Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1
Subscribe to our newsletter!
Editing by Nathaniel Cajuday
- The National Privacy Commission (NPC) concluded that the security breach affecting GCash users was caused by phishing attacks orchestrated by unknown threat actors.
- The NPC also stressed that the security breach affecting GCash users was a result of phishing attacks by utilizing online gambling platforms like “Philwin” and “tapwin1.com.”
- The privacy watchdog then ordered GXI, GCash’s mother company, to enhance its education and awareness campaign to prevent similar incidents in the future.
“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme.”
This is the statement released by National Privacy Commission (NPC) Commissioner John Henry Naga, as the recent probe of the data privacy watchdog has concluded that the security breach that affected some GCash users was a result of phishing attacks, most specifically from online gambling platforms like “Philwin” and “tapwin1.com.”
On May 24, the NPC announced the completion of its thorough investigation into the unauthorized transactions reported in various GCash accounts, emphasizing that after their analysis and separate authentication of the incident, the security breach was due to phishing attacks and not security vulnerabilities with the mobile wallet provider.
According to Naga, there were “unknown threat actors” that exploited GCash users by utilizing online gambling platforms like “Philwin” and “tapwin1.com.”
Consequently, the NPC stated that they have ordered GCash’s mother company, G-Xchange, Inc. (GXI), “to intensify its education and awareness campaign to its clients to prevent similar incidents in the future.”
“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” Naga concluded.
On May 9, the Complaints and Investigation Division of the NPC launched an independent investigation to determine the scope of the reported unauthorized transactions and assess whether personal data compromise or other potential violations of the Data Privacy Act of 2012 had occurred.
On May 12, a clarificatory meeting was held between the NPC and the GXI, during which the NPC shared information gathered from its internal investigation, and the GXI then outlined the actions taken to address the incident.
During the meeting, the NPC expressed concerns and requested additional information and evidence from GXI in order to conduct an impartial evaluation and verify the company’s assertions.
Following that, on May 19, GXI submitted its compliance with the directives issued by the Privacy Commission
GCash Incident Timeline
- May 8, 2023
- GCash received complaints about irregular transactions involving the transfer of funds via InstaPay to Asia United Bank (AUB) and EastWest Bank (EWB). The GCash app went into maintenance mode–instapay to their partner banks were also switched off.
- May 9, 2023
- The application went back online. GCash announced that by 4:00 p.m., all funds belonging to users affected by the unauthorized transaction had been returned.
- The two banks linked to unauthorized fund transfers, also released their own statements addressing the issue assuring that they are working with authorities.
- May 10, 2023
- Gilda Maquilan, GCash’s vice president for corporate communications, told ABS-CBN News Channel (ANC) that the data is obtained from users through phishing methods and not hacking.
- May 11, 2023
- The Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) have initiated their separate investigations into the security issues surrounding GCash.
- May 24, 2023 (This news)
- NPC’s investigation concluded that the security breach that affected some GCash users was a result of phishing attacks, most specifically from online gambling platforms like “Philwin” and “tapwin1.com.”
This article is published on BitPinas: National Privacy Commission Sides with GCash: Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1
Disclaimer: BitPinas articles and its external content are not financial advice. The team serves to deliver independent, unbiased news to provide information for Philippine-crypto and beyond.