MANILA, Philippines – The Philippines’ National Privacy Commission, on Wednesday, May 24, said the unauthorized GCash transactions that took place on the week of May 9, were enabled by phishing attacks through online gambling sites such as “Philwin” and “tapwin1.com”.

The NPC’s investigation was not able to name the perpetrators of what it called a “meticulous phishing scheme.”

The investigation began on May 9, to see if there had been a possible compromise of personal data and other potential violations of the Data Privacy Act of 2012. The commission met with GCash parent firm, G-Xchange Inc, to gather data from the company’s internal investigation, along with the measures taken to address the situation, before the NPC proceeded with its independent assessment.

“We have ordered GXI to intensify its education and awareness campaign to its clients to prevent similar incidents in the future,” privacy commissioner John Henry Naga said.

“We assure the public that the National Privacy Commission remains resolute in its mandate to safeguard the rights of data subjects and protect personal information. We will employ the full extent of our powers under the law to penalize those who violate the Data Privacy Act of 2012.” – Rappler.com