MANILA – The National Privacy Commission (NPC) on Tuesday warned of a possible data breach concerning cash-loaning application “Cashalo,” with the data of its 3.3 million users allegedly put up for sale online.
In a statement, Roren Marie Chin, chief of Public Information and Assistance Division of the NPC, said the agency did a preliminary probe on the data breach and found that a data-dump of Cashalo, operated by Oriente Express Techsystem Corporation, has been posted on different cyber forums since Feb. 14.
“A certain user under “creepxploit” sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on the dark web as shared in a post on cybleinc.com and RaidForums – even provided sample data for potential buyers,” Chin said.
The seller, she said, may have successfully downloaded files from the Cashalo database, noting that the data-dump was still up for sale on Monday.
The NPC has reached out to Cashalo through their data protection officer to coordinate on the breach and required them to provide additional information.
She said the NPC has also received a breach report filed by Cashalo via email on Friday at 9:58 p.m.
“From this breach notification received, the Commission intends to do further monitoring and investigation in cooperation with the parties involved -- upholding its mandate in protecting the personal information of data subjects,” Chin said.
As of Tuesday, the post on RaidForums.com of the alleged sale has been taken down.
Cashalo said its IT security team discovered on Friday last week a potential data breach involving its database archive and assured its users that their accounts and passwords are encrypted and have not been compromised.
On Feb. 14, cybersecurity platform Cyble reported that about 3 billion data credentials were leaked on the dark web and included the full names, email, and other personal information of 3.3 million Cashalo users. (PNA)