Regulator investigating Cashalo data breach

THE National Privacy Commission (NPC) is investigating a potential data breach involving 3.3 million users of online lending platform Cashalo, a joint venture between JG Summit Holdings subsidiary Express Holdings, Inc. and Hong Kong-based Oriente.

Cybersecurity consultant Cyble reported that a seller known as “creepxploit” tried to sell data containing names, e-mails, phone numbers, and device identification details from the app on the dark web. The post was no longer on the RaidForums website as of Feb. 23.

“The user may have successfully downloaded files from the database of the application,” the commission said in a statement Tuesday.

NPC said that it has reached out to Cashalo to request for information, and has received a breach report.

Roren Marie Chin, NPC chief of Public Information and Assistance Division, said in a mobile message to reporters that Cashalo users may contact the company’s data protection officer to check whether they are included among the affected accounts.

NPC has not yet determined the degree of Cashalo’s liability for the data breach.

“Until we have completed the investigation and decision regarding the Cashalo, we would like to refrain from providing further details, especially the liabilities, as to not compromise the due process,” Ms. Chin said.

According to reports, Cashalo announced the discovery of the breach by its security team, but added that accounts and passwords are encrypted and have not been compromised. — Jenina P. Ibañez