The National Privacy Commission (NPC) of the Philippines initiated an investigation into G-Xchange Incorporated (GCash) following a dark web post by a user alias *‘Oversleep8351’* on October 26, claiming to sell stolen GCash user data. The leaked dataset allegedly included account numbers, merchant/user details, linked bank/virtual card information, and KYC records (names, addresses, employment data, and valid IDs). While GCash denied a breach stating the data was incomplete, invalid, or non-matching to their systems and assured users of fund safety, the NPC issued a Notice to Explain and scheduled a probe. Users were advised to update security credentials and stay vigilant against phishing. The incident remains under investigation, with no confirmed source or scale of exposure, but the potential compromise of KYC and financial data raises concerns over identity theft and fraudulent transactions.
Source: https://www.rappler.com/technology/npc-probes-alleged-gcash-data-breach-october-2025/
TPRM report: https://www.rankiteo.com/company/wearegcash
"id": "wea4762847102725",
"linkid": "wearegcash",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Fintech / Digital Payments',
'location': 'Philippines',
'name': 'G-Xchange Incorporated (GCash)',
'type': 'Financial Technology (Mobile Wallet '
'Operator)'}],
'customer_advisories': 'GCash Facebook post (October 27, 2024) reassuring '
'users of fund safety and system security.',
'data_breach': {'data_exfiltration': 'Alleged (dark web sale post)',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII, financial data)',
'type_of_data_compromised': ['Account numbers',
'Merchant/user data',
'Linked bank/virtual card '
'details',
'KYC records (PII: names, '
'addresses, employment details, '
'valid IDs)']},
'date_detected': '2024-10-26',
'date_publicly_disclosed': '2024-10-27',
'description': 'The National Privacy Commission (NPC) of the Philippines '
'launched an investigation into an alleged data breach '
'involving G-Xchange Incorporated (operator of mobile wallet '
'GCash) after a dark web post surfaced on October 26, 2024. '
"The post, by a user alias 'Oversleep8351,' claimed to sell "
'GCash user information, including account numbers, '
'merchant/user data, linked bank/virtual card details, and KYC '
'records (names, addresses, employment details, valid IDs). '
'GCash denied the breach, stating the leaked data did not '
'match their systems and was likely fabricated or sourced '
'elsewhere. The NPC issued a Notice to Explain to G-Xchange '
'and advised users to enhance security measures while the '
'probe continues.',
'impact': {'brand_reputation_impact': 'Potential (due to public allegations '
'and investigation)',
'data_compromised': ['GCash account numbers',
'merchant/user data',
'linked bank/virtual card details',
'KYC records (names, addresses, employment '
'details, valid IDs)'],
'identity_theft_risk': 'High (if data is valid)',
'legal_liabilities': 'Ongoing (NPC investigation, Notice to '
'Explain issued)',
'payment_information_risk': 'High (linked bank/virtual card '
'details allegedly exposed)'},
'initial_access_broker': {'data_sold_on_dark_web': True,
'high_value_targets': ['GCash user databases',
'KYC records']},
'investigation_status': 'Ongoing (NPC-led probe, GCash internal '
'investigation)',
'motivation': 'Financial Gain (Data Sale)',
'recommendations': ['Users: Monitor accounts, update credentials, enable 2FA, '
'avoid phishing.',
'GCash: Continue collaboration with NPC, validate dark '
'web claims, enhance transparency.',
'Regulators: Strengthen oversight of fintech data '
'protection measures.'],
'references': [{'date_accessed': '2024-10-27',
'source': 'Rappler.com',
'url': 'https://www.rappler.com'}],
'regulatory_compliance': {'legal_actions': ['NPC investigation',
'Notice to Explain issued to '
'G-Xchange'],
'regulatory_notifications': ['NPC Complaints and '
'Investigation '
'Division']},
'response': {'communication_strategy': {'public_statement': 'Denial of breach '
'(Facebook post '
'on October 27, '
'2024)',
'regulatory_coordination': 'Working '
'with NPC '
'and other '
'agencies',
'user_advisories': ['Monitor accounts',
'Update '
'MPINs/passwords',
'Enable extra '
'security '
'features',
'Beware of '
'phishing scams']},
'containment_measures': ['Investigation by cybersecurity experts',
'Collaboration with government '
'agencies'],
'enhanced_monitoring': True,
'incident_response_plan_activated': True,
'law_enforcement_notified': True},
'stakeholder_advisories': 'NPC urged public not to share unverified claims; '
'GCash advised users on security measures.',
'threat_actor': {'alias': 'Oversleep8351'},
'title': 'Alleged Data Breach Involving GCash (G-Xchange Incorporated)',
'type': ['Data Breach (Alleged)', 'Dark Web Data Sale']}