Manila, Philippines – The National Privacy Commission (NPC) urged the public to remain cautious following reports of a potential data breach involving G-Xchange, Inc., the company behind mobile wallet platform GCash. The alleged leak surfaced online on 26 October 2025.
An investigation was launched after a post appeared on the dark web claiming to sell information belonging to GCash users.
The individual behind the post, using the alias “Oversleep8351,” purportedly offered access to merchant and user data, account numbers, bank and virtual card links, as well as Know Your Customer (KYC) records that may include names, addresses, employment details, and copies of valid Philippine identification documents covering millions of entries from 2019 to October 2025.
The NPC’s Complaints and Investigation Division has issued a Notice to Explain to G-Xchange, Inc. seeking details regarding the reported incident.
A clarificatory meeting has been scheduled to further discuss the case. As of 10:30 a.m. on October 27, 2025, the Commission had not yet received an official data breach notification from the company.
If the investigation confirms that user data was compromised, the NPC stated that it will take appropriate action in accordance with the Data Privacy Act of 2012. In the meantime, users of GCash were encouraged to monitor their accounts, update their MPINs and passwords, activate available security features, and remain cautious of phishing attempts or suspicious messages.
The NPC stated it would provide verified updates once more information becomes available, reminding the public to avoid engaging with or sharing unverified claims circulating online while the inquiry is ongoing.
Updated on October 28, 2025, GCash has issued an advisory to its customers addressing recent allegations of a data breach and the sale of user information on the dark web. The company strongly maintains that no evidence of a breach has been found within its systems, assuring users that their funds and account information remain safe and secure.
The statement follows the circulation of an online post, which prompted an internal investigation by the firm’s cybersecurity experts.
The swift investigation concluded that the alleged dataset being circulated does not match or originate from GCash systems. According to the company, many entries in the purported data are incomplete, invalid, or unrelated to GCash users. This finding is presented by GCash as strong evidence that the customer data currently being circulated did not originate from the company’s own infrastructure.
GCash reaffirmed its continued commitment to safeguarding customer data and maintaining a secure platform.
The company also stated that it is working closely with regulatory bodies, including the Bangko Sentral ng Pilipinas (BSP), the National Privacy Commission (NPC), and the Cybercrime Investigation and Coordinating Centre (CICC), to monitor, validate, and protect its systems. The firm emphasised its dedication to upholding the trust of its millions of Filipino users.
