THE National Privacy Commission (NPC) urged the public on Monday, Oct. 27, 2025, to exercise heightened vigilance following reports of a data leak allegedly involving G-Xchange Inc., operator of GCash.
The NPC also announced it was launching an investigation into the alleged leak after a dark web post appeared on Sunday, Oct. 26, claiming to sell user information.
The post by a threat actor using the alias “Oversleep8351,” claimed to offer merchant and basic use data, GCash account numbers, linked bank and virtual card accounts and KYC (Know Your Customer) records containing names, addresses, employment details and valid Philippine IDs.
Denial
G-Xchange Inc. denied any breach in its systems, assuring users on Monday that their funds are secure and that the alleged dataset does not match its data.
In a statement, the NPC advised users to actively monitor their accounts, regularly update their MPINs and passwords, enable additional security features to protect their information and be alert for phishing attempts.
As of 10:30 a.m. Monday, the NPC said it has not received any official data breach notification from G-Xchange Inc.
Assurance
GCash, for its part, assured its users that their funds and information are safe and secure, stressing that there is no evidence of data breach.
“GCash is aware of an online post alleging that user information is being sold on the dark web. There is no evidence of any breach in GCash systems. All customer accounts and funds remain secure,” it said in a statement on Monday.
“Additionally, many entries are incomplete, invalid, or do not belong to GCash users,” it said.
“These findings strongly indicate that the data being circulated did not originate from GCash. We continue to work closely with the BSP (Bangko Sentral ng Pilipinas), NPC and CICC (Cybercrime Investigation and Coordinating Center) to monitor and validate information from all possible sources and ensure that our systems remain protected,” it added.
The NPC has advised GCash users to refrain from sharing personal or sensitive data while the investigation is ongoing.
“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” the NPC said. / LRM