GCash said its initial forensic analysis found no evidence of a data breach, following reports that alleged customer data was being sold on the dark web.
The post claimed to contain GCash records from 2019 to October 2025, including eKYC information, linked bank accounts, and personal IDs of both merchants and regular users.
In a statement Monday, GCash said the dataset does not match its internal data structure and includes entries from non-GCash users, with many records found to be incomplete or invalid.
“There is no evidence of any breach in GCash systems. All customer accounts and funds remain secure,” the company said.
GCash said it is working with the Bangko Sentral ng Pilipinas (BSP), the National Privacy Commission (NPC), and the Cybercrime Investigation and Coordinating Center (CICC) to further verify the claims and ensure system security.
Meanwhile, the NPC has launched an investigation and issued a Notice to Explain to G-Xchange, Inc., GCash’s operator. It urged users to stay vigilant by updating their passwords, monitoring their accounts, and avoiding unverified online claims.
“If personal data is found to be compromised, the NPC will take appropriate regulatory and enforcement action,” the commission said.
