Privacy Commissioner Naga Orders In-depth Investigation into GCash Glitch

PASAY CITY, May 12, 2023 – The National Privacy Commission (NPC) is investigating a potential
personal data breach involving compromised accounts of the mobile application, GCash. This is in
light of the glitch that occurred on May 10, 2023, which forced the temporary halt of GCash app
operations. The NPC’s Complaints and Investigation Division (CID) has been closely monitoring
this incident since May 9, 2023 amidst circulating reports of GCash users on suspicious
transactions on their GCash accounts, to determine the existence of breach and its extent, and
whether there are any other violation of the provisions of the Data Privacy Act of 2012.

On May 10, 2023, the NPC issued a notice to explain and an order addressed to G-Xchange, Inc.
(GXI), the company managing GCash, requiring GXI to appear before the Commission for a
clarificatory meeting and to provide additional information and documents. The clarificatory
meeting was held on May 12, 2023, wherein GXI presented information to the NPC about their
investigation and the measures taken with dispatch to address the incident. The NPC will issue
another Order instructing GXI to provide further information and documents to enable an
independent assessment and verify the claims presented by GXI on the supposed phishing being
the cause of the glitch.

Privacy Commissioner and Chairman Atty. John Henry D. Naga assures the public that all
necessary steps have been made by the NPC to protect the rights of GCash clients as data subjects.
"The NPC is committed to safeguard the privacy of all individuals and will continue to provide
guidance on how the public can better protect themselves from violations of their data privacy
rights, even as these threat actors are also becoming more sophisticated in the pursuit of their
criminal design," Privacy Commissioner Naga stated. He further emphasized, "The NPC will
diligently exercise its powers under the law against any party found to be in violation of the Data
Privacy Act."