NPC confirms unauthorized GCash transactions resulted from 'meticulous phishing scheme'

The National Privacy Commission (NPC) has concluded its investigation into the recently reported unauthorized GCash transactions.

The government body found in its independent verification that phishing attacks resulted in the GCash security breach in early May.

"Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme," Privacy Commissioner John Henry Naga said in a press release.

Apparently, "unknown threat actors" tricked vulnerable GCash users into their phishing scheme through online gambling websites like Philwin and tapwin1.com.

The NPC held a May 12 clarificatory meeting with G-Xchange Inc. (GXI) to provide their findings, outline their response to the incident. raise concerns with GXI, as well as request additional information and evidence to confirm the company's claims.

GXI has since submitted its compliance with NPC-issued orders on May 19.

"We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future. We assure the public that the NPC remains resolute in its mandate to safeguard the rights of data subjects and protect personal information," Naga said.

The privacy commissioner added that they will implement their full powers under the law to punish those who violate the Data Privacy Act of 2012.

GCash previously issued separate advisories about adjusting the e-wallets of all affected users and denying that any hacking occurred. 

The digital wallet's users earlier this month reported issues like losing tens of thousands of pesos without being prompted for their one-time passwords.

EastWest Bank and Asia United Bank were linked at the time to the unauthorized transactions, with both banks cooperating with GCash and government regulators to investigate the issue.