PRIVACY watchdog National Privacy Commission (NPC) said the reported unauthorized transactions involving electronic payment firm GCash had been caused by phishing attacks.
“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” Privacy Commissioner John Henry D. Naga said in a statement on Wednesday.
“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites,” he added, identifying the sites as Philwin and tapwin1.com.
On May 8, GCash customers reported unauthorized deductions from their digital wallets. After it received user complaints, GCash announced that any deduction from an account would be adjusted. It reminded users to never share their one-time pins (OTPs) and mobile banking identification numbers (MPINs).
The digital payment app also disclosed that it is continuing to improve its security mechanisms such as facial recognition, aside from the OTP and MPIN authentication levels.
The NPC’s complaints and investigation division started its “independent investigation” on May 9 to check the extent of the alleged unauthorized transactions and to establish if there were violations of the Data Privacy law.
“On May 12, the NPC held a clarificatory meeting with GXI, providing information gathered from their internal investigation and outlining the measures taken to address the incident,” the commission said, referring to G-Xchange, Inc.
“The NPC raised concerns and requested additional information and proof from GXI to enable the conduct of an independent assessment and verify the company’s claims,” it added.
“Subsequently, on May 19, GXI submitted its compliance with the orders issued by the NPC,” it said.
After the investigation, the NPC ordered GXI, the company managing GCash, to boost its client education and awareness efforts to prevent similar incidents in the future.
“We assure the public that the NPC remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” Mr. Naga said. — Revin Mikhael D. Ochave