On Reports of an Alleged Data Breach Involving G-Xchange, Inc. (GCash)

From the National Privacy Commission of the Philippines:

October 27, 2025 10:57 AM Last Edit: October 27th, 2025

The National Privacy Commission (NPC) urges the public to exercise heightened vigilance following reports of data leak allegedly involving G-Xchange, Inc., operator of GCash, which surfaced online on 26 October 2025.

The NPC has immediately launched an investigation after a dark web post appeared claiming to sell user information. The post, made by a threat actor using the alias “Oversleep8351,” allegedly offers merchant and basic user data, GCash account numbers, linked bank and virtual card accounts, and KYC (Know Your Customer) records containing names, addresses, employment details, and valid Philippine IDs.

Following this, the NPC’s Complaints and Investigation Division has issued a Notice to Explain (NTE) to G-Xchange, Inc. to obtain further details about the alleged incident. An online clarificatory conference has also been scheduled to facilitate a more detailed discussion of the matter. As of 10:30 a.m. on 27 October 2025, the NPC has not received any official data breach notification from the company.

Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012.

GCash users should actively monitor their accounts, regularly update their MPINs and passwords, and enable additional security features to protect their information. They must also remain alert to phishing attempts and refrain from sharing personal or sensitive data while the investigation is ongoing.

The NPC will issue verified updates as soon as more information becomes available. In the meantime, the public is advised to exercise caution and refrain from engaging with or sharing unverified claims circulating online.

For more details, you may contact [email protected]

In related news, GCash has denied any breach: