Advertisement PDAX Banner

National Privacy Commission: GCash Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1

Photo for the Article - National Privacy Commission: GCash Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1

Subscribe to our newsletter!

[newsletter_form type=”minimal”]

Editing by Nathaniel Cajuday

  • The National Privacy Commission (NPC) concluded that the security breach affecting GCash users was caused by phishing attacks orchestrated by unknown threat actors.
  • The NPC also stressed that the security breach affecting GCash users was a result of phishing attacks by utilizing online gambling platforms like “Philwin” and “tapwin1.com.”
  • The privacy watchdog then ordered GXI, GCashโ€™s mother company, to enhance its education and awareness campaign to prevent similar incidents in the future.

โ€œUpon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme.โ€ 

This is the statement released by National Privacy Commission (NPC) Commissioner John Henry Naga, as the recent probe of the data privacy watchdog has concluded that the security breach that affected some GCash users was a result of phishing attacks, most specifically from online gambling platforms like “Philwin” and “tapwin1.com.”

NPC Findings

Photo for the Article - National Privacy Commission: GCash Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1
John Henry Naga
Privacy Commissioner

On May 24, the NPC announced the completion of its thorough investigation into the unauthorized transactions reported in various GCash accounts, emphasizing that after their analysis and separate authentication of the incident, the security breach was due to phishing attacks and not security vulnerabilities with the mobile wallet provider. 

Advertisement PDAX Banner

According to Naga, there were “unknown threat actors” that exploited GCash users by utilizing online gambling platforms like “Philwin” and “tapwin1.com.”

Consequently, the NPC stated that they have ordered GCashโ€™s mother company, G-Xchange, Inc. (GXI), โ€œto intensify its education and awareness campaign to its clients to prevent similar incidents in the future.โ€

โ€œWe assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,โ€ Naga concluded.

NPC Probe

On May 9, the Complaints and Investigation Division of the NPC launched an independent investigation to determine the scope of the reported unauthorized transactions and assess whether personal data compromise or other potential violations of the Data Privacy Act of 2012 had occurred. 

On May 12, a clarificatory meeting was held between the NPC and the GXI, during which the NPC shared information gathered from its internal investigation, and the GXI then outlined the actions taken to address the incident. 

During the meeting, the NPC expressed concerns and requested additional information and evidence from GXI in order to conduct an impartial evaluation and verify the company’s assertions.

Following that, on May 19, GXI submitted its compliance with the directives issued by the Privacy Commission

GCash Incident Timeline

  • May 8, 2023
    • GCash received complaints about irregular transactions involving the transfer of funds via InstaPay to Asia United Bank (AUB) and EastWest Bank (EWB). The GCash app went into maintenance modeโ€“instapay to their partner banks were also switched off.
  • May 9, 2023
    • The application went back online. GCash announced that by 4:00 p.m., all funds belonging to users affected by the unauthorized transaction had been returned.
    • The two banks linked to unauthorized fund transfers, also released their own statements addressing the issue assuring that they are working with authorities.
  • May 10, 2023
  • May 11, 2023
    • The Department of Information and Communications Technology (DICT) and the National Privacy Commission (NPC) have initiated their separate investigations into the security issues surrounding GCash. 
  • May 24, 2023 (This news)
    • NPCโ€™s investigation concluded that the security breach that affected some GCash users was a result of phishing attacks, most specifically from online gambling platforms like “Philwin” and “tapwin1.com.”

This article is published on BitPinas: National Privacy Commission Sides with GCash: Unauthorized Transactions Result of Phishing Attacks from PhilWin, TapWin1

Disclaimer: BitPinas articles and its external content are not financial advice. The team serves to deliver independent, unbiased news to provide information for Philippine-crypto and beyond.