With GCash stating that the May 8 incident involved phishing and that no breach has occurred, the independent investigation made by the National Privacy Commission (NPC) further confirms that there was no security breach.
“As far as data privacy is concerned in determining kung na-breach nga ba sila o hindi, sa ating pagsisiyasat, hindi sila na-breach (based on our investigations, there was no breach),” NPC Complaints and Investigation Division Chief Atty. Michael Santos said in an interview on TeleRadyo.
Based on their findings, the phishing scheme appeared to originate from a modus involving gambling sites where users are made to believe that they were loading credits–where in reality, they were actually adding another device.
In its investigation, the NPC cited gambling websites like Philwin and Tapwin1.com as the “unknown threat actors (that) took advantage of vulnerable GCash users”. The gambling websites allegedly involved in this modus are yet to be investigated, and we’re waiting for GCash to comment on the matter.
As a response to the incident, GCash was ordered to amplify its security measures to prevent similar incidents from happening in the future. One of these new features includes DoubleSafe, which makes use of both OTP and a selfie scan (on top of the usual MPIN) to ensure a secure login.