The National Privacy Commission (NPC) has launched an investigation into an alleged data breach involving G-Xchange, Inc., the operator of popular e-wallet platform GCash, following reports that user information was being sold on the dark web.

According to the NPC, a post by a threat actor using the alias “Oversleep8351” surfaced online on October 25, allegedly offering sensitive data including GCash account numbers, linked bank and virtual card accounts, and Know Your Customer (KYC) records such as names, addresses, employment details, and valid IDs. In response, the NPC issued a Notice to Explain to G-Xchange and scheduled an online clarificatory conference to gather more details.

“If confirmed, the NPC will take appropriate regulatory and enforcement action under the Data Privacy Act of 2012,” the agency said, urging users to monitor their accounts and remain vigilant against phishing attempts.

GCash, however, denied any breach in its systems. In a separate statement, the company said its initial investigation found no match between the alleged dataset and its internal data structure. It added that many entries appeared incomplete or unrelated to actual GCash users.

“All customer accounts and funds remain secure,” GCash assured, noting that it is working closely with the Bangko Sentral ng Pilipinas, the NPC, and cybersecurity authorities to validate the claims and safeguard user data. (PNA)