Update on Alleged Cashalo Data Breach

Amid recent reports on the alleged data breach on the cash-loaning application Cashalo, operated by Oriente Express Techsystem Corporation, the National Privacy Commission (NPC) did a preliminary probe on the data security issue. Initial findings show that huge amounts of personal data from Cashalo are being dumped and sold on different cyber forums since February 14, 2021.

A certain user named “creepxploit” sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on two sites on the dark web. The user even provides sample data for potential buyers. Given the facts, it is suspected that the user successfully downloaded files from Cashalo's own database, which signifies a potential breach on the application. Creepxploit's posts remain accessible as of writing.

NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The Commission received Cashalo's breach report last February.

The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident.

# # #