MANILA – The National Privacy Commission (NPC) has launched an investigation into an alleged data breach involving G-Xchange, Inc., the operator of GCash, after reports surfaced online on October 26, 2025.

In a statement, the NPC said it immediately began probing the incident after a post on the dark web appeared offering to sell user information. The post, made by a threat actor using the alias “Oversleep8351,” allegedly offered merchant and user data, GCash account numbers, linked bank and virtual card accounts, and Know Your Customer (KYC) records containing names, addresses, employment details, and valid Philippine IDs.

The NPC’s Complaints and Investigation Division has issued a Notice to Explain (NTE) to G-Xchange, Inc. to obtain details about the alleged breach and scheduled an online clarificatory conference to further discuss the matter.

As of 10:30 a.m. on October 27, the NPC said it had not received any official data breach notification from G-Xchange.

“Should the investigation confirm that the personal data of GCash users have been compromised, the NPC will take regulatory and enforcement action within its mandate under the Data Privacy Act of 2012,” the commission said.

The agency urged GCash users to monitor their accounts, regularly update their MPINs and passwords, and enable additional security features. It also warned the public to remain alert to phishing attempts and avoid sharing sensitive information while the probe is ongoing.

The NPC said it would issue verified updates as soon as more information becomes available and reminded the public to refrain from engaging with or sharing unverified claims online.

For more information, the public may contact the NPC at info@privacy.gov.ph.