About Us
NPC finds no breach in GCash data exposure report
- CICC, DICT, Gcash, NPC
-
Photo from Pixabay
By TechWatch PH Staff
The National Privacy Commission (NPC) has concluded that no personal data breach occurred within G-Xchange, Inc. (GCash), following an investigation into an alleged dataset that surfaced on deep web last week.
The NPC said it immediately initiated an inquiry after learning of the report and ordered G-Xchange, Inc. on October 27 to submit technical documentation, preserve system logs, and participate in a clarificatory conference and live technical demonstration before its Complaints and Investigation Division (NPC-CID).
GCash complied with the directive, submitting written explanations, supporting materials, and demonstrating its systems under the NPC’s supervision.
Following the technical validation, the NPC confirmed that the dataset circulating online was inconsistent with GCash’s verified data structures.
Several of the listed accounts were invalid or inactive, and investigators found no evidence of unauthorized access, infiltration, or data exfiltration in GCash’s monitored environments.
Results from the live technical demonstration conducted on October 29 further confirmed that no unauthorized access attempts were made on GCash’s critical databases, including those storing eKYC data.
Records covering the period from January 1 to October 29, 2025, showed zero incidents, with only pre-approved internal IP addresses interacting with the system.
“This strongly indicates that no breaches, unauthorized access, infiltration, or exfiltration attempts occurred,” the NPC-CID reported.
The NPC reiterated its commitment to promptly investigate all alleged data breach reports to ensure accountability under the Data Privacy Act of 2012, while warning that unauthorized access, sale, or distribution of personal data are punishable offenses under the law.
On October 27, the National Privacy Commission (NPC) urged the public to exercise heightened vigilance following reports of an alleged data leak involving G-Xchange, Inc., the operator of popular mobile wallet platform GCash, which surfaced online on October 26.
READ:
NPC urges public vigilance following alleged GCash data leak
Meanwhile, in a statement released the same day, the Cybercrime Investigation and Coordinating Center (CICC) said its Cybercrime Investigation Office (CIO), in coordination with GCash, conducted an initial assessment and found that the data circulating online appeared to be recycled information — older or previously available data that had been reshared to make it seem newly compromised.
READ:
CICC probes reported GCash data breach, says data likely did not come from platform