National Privacy Commission: Personal data of 3.3 million Cashalo users sold in dark web

enablePagination: false
maxItemsPerPage: 10
maxPaginationLinks: 10

Metro Manila (CNN Philippines, February 23) — Personal data of over 3 million users of Cashalo are being sold in the dark web, the National Privacy Commission said.

In a statement on Tuesday, the agency said the information of 3.3 million users of the online cash lending platform are being sold in two sites in the dark web since mid-February by a certain user named “creexploit.”

The data contains the individuals’ usernames, passwords, email addresses, phone numbers and device identifications, the statement read.

“Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application,” said the Commission, noting the user’s posts remain accessible as of writing.

On Saturday, Cashalo notified the public of an “unauthorized access” to a database containing some personal data of its subscribers. It assured no accounts or passwords were compromised, and that it is cooperating with authorities and partners to complete the investigation and beef up its security and safety measures.

The Commission said it will continue monitoring and investigating the matter in coordination with involved parties.

“Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence,” it said. “We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident.”