The National Privacy Commission (NPC), headed by Privacy Commissioner John Henry Naga, has launched an investigation into an alleged data breach involving G-Xchange Inc., the operator of the e-wallet platform GCash. Reports about the supposed leak surfaced online on October 25, 2025, after a dark web post claimed that GCash user data was being sold.
What Sparked the Data Leak Allegations
The issue began when a post appeared on the dark web from a user with the alias “Oversleep8351.” The post claimed to have information from around seven to eight million GCash users. It allegedly included merchant and basic user accounts, GCash account numbers, linked bank and virtual card accounts, and Know Your Customer (KYC) data such as names, addresses, employment details, and valid Philippine IDs.
The post also claimed the dataset covered transactions and account registrations from 2019 to October 2025. It was said that this information was being sold in bundles, sparking public concern as the claims spread online.
The NPC immediately acted upon the report and confirmed that its Complaints and Investigation Division issued a Notice to Explain (NTE) to G-Xchange Inc., led by President and CEO Martha Sazon, to obtain details about the alleged incident. The agency also scheduled an online clarificatory conference to discuss the matter further.
U.S. Reels After Student Data Hack — 20-Year-Old Sentenced in $14 Million PowerSchool Case
Commissioner Naga said the NPC will take appropriate regulatory and enforcement actions if it confirms that the personal data of GCash users were compromised. The NPC reminded the public that such cases fall under the Data Privacy Act of 2012, which protects citizens from unauthorized access and misuse of personal data.
GCash Denies Data Breach
In response, GCash strongly denied that any data breach had occurred. In an official statement, the company said it was aware of the dark web post and immediately launched an internal investigation with its cybersecurity experts and relevant authorities.
According to GCash,initial analysis showed that the dataset being circulated online does not match the structure used in its systems. The company explained that the leaked data appeared incomplete, inconsistent, and even included people who are not GCash users. Based on these findings, the firm concluded that the material did not originate from its own database.
GCash President Martha Sazon assured users that there was no evidence of any breach in the platform’s systems and emphasized that all customer accounts and funds remain secure. She added that the company continues to coordinate closely with the National Privacy Commission (NPC), the Bangko Sentral ng Pilipinas (BSP) under Governor Eli Remolona Jr., and the Cybercrime Investigation and Coordinating Center (CICC) led by Executive Director Alexander Ramos to validate all information.
GCash reiterated that protecting user privacy and account security remains its top priority. The company also reminded customers to remain vigilant, use in-app security features, and report suspicious activity only through official GCash channels.
Global data breach rocks Qantas — 5 million customer profiles exposed after ransom refusal
NPC Urges Caution While Probe Continues
As the NPC continues its investigation, it advised GCash users to stay alert and monitor their accounts for unusual activity. The agency encouraged users to enable additional security settings, be careful of phishing attempts, and avoid sharing sensitive personal or financial information.
Commissioner Naga said the NPC is determined to get to the bottom of the issue and will act accordingly once the facts are verified. He assured the public that the Commission will enforce penalties if evidence confirms a violation of the Data Privacy Act.
GCash, on its part, continues to coordinate with authorities and review its systems to ensure that no user data has been compromised. The company said it remains committed to transparency and to maintaining the trust of its millions of users nationwide.
The alleged GCash data breach has raised concerns about cybersecurity among digital users in the Philippines. The NPC’s investigation and GCash’s swift denial show how seriously both parties are treating the incident. While the probe continues, authorities and the e-wallet provider have both assured the public that all necessary measures are being taken to protect users and their financial information.
