A “meticulous” phishing scheme through online gambling websites caused the security breach that led to unauthorized fund transfers from mobile wallet GCash to several private bank accounts earlier this month.
“Upon our thorough investigation, we have determined that the unauthorized transactions in GCash accounts were a result of a meticulous phishing scheme,” said Privacy commissioner John Henry Naga.
“Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as ‘Philwin’ and ‘tapwin1.com,’” he added.
The NPC’s Complaints and Investigation Division (CID) conducted an independent probe to ascertain the extent of the alleged unauthorized transactions and determine if personal data were compromised, among other potential violations of the Data Privacy Act of 2012.
On May 12, the NPC held a clarificatory meeting with G-Xchange Inc. (GXI).
“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future. We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012,” Naga said.
Last week, Bangko Sentral ng Pilipinas Governor Felipe Medalla said only 80 percent of the unauthorized fund transfers from mobile wallet GCash to several private bank accounts were recovered.
He said the mobile wallet of Globe Telecom Inc. shouldered the balance to return the missing amounts, contrary to an initial statement by GCash that no funds were lost despite complaints of missing money by some users.
Medalla said efforts now focus on tracking down the holders of the private bank accounts where the missing GCash funds were transferred.
Several GCash users earlier reported that their money was transferred to Asia United Bank and East West Bank accounts ending in number 5239.
The central bank chief also said that the security features of local digital payment platforms are satisfactory but consumers need to be vigilant.
He said users should not share their OTP or one-time password because this is their last level of protection.