The National Privacy Commission (NPC) is investigating an online lending app for a data breach in its platform that resulted in the leak of user information on the dark web.
The NPC on Tuesday reported it carried out a preliminary investigation on the data breach that corrupted online loan app Cashalo’s files. Based on the probe, the data taken from Cashalo has been put for sale on the dark web since February 14 as disclosed in cybersecurity forums.
Further, a certain user by the name “creepxploit” has been peddling the data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers, as well as device identifications.
The seller even provided sample data of Cashalo users for potential buyers to see. This activity on the dark web has been shared in posts on cybleinc.com and RaidForums, sites where data breaches and leaks are reported to alert Internet users.
As such, the NPC hinted the user, “creepxploit,” may have downloaded files from the database of Cashalo and took to the dark web to profit from them.
The NPC has reached out to Cashalo’s data protection officer to coordinate this incident. Also, the agency has required the online cash app, operated by Oriente Express Techsystem Corp., to provide additional information on the matter.
The NPC added it received the breach report file submitted by Cashalo last Friday.
The data privacy body vowed it will monitor and investigate the data breach in cooperation with all parties involved as part of its mandate to protect the personal information of data subjects. It, however, recommended Cashalo users to keep their accounts in check and change passwords for security purposes.
Last Friday the NPC transmitted to the Department of Justice a recommendation to prosecute another online lending app in PondoPeso, operated by Fynamics Lending Inc., for violating data privacy rules.
Scores of borrowers have filed complaints against the app for subjecting them to public shaming to pressure them to pay. As such, the NPC concluded Fynamics should be held accountable for breaching Section 25 of the Data Privacy Act (DPA).
Criminals found guilty of unauthorized processing of personal information could be imposed with three years of imprisonment and P2 million in fine, while of sensitive information could be ruled with up to six years behind bars and made to pay as much as P4 million in penalty.
In 2019 the NPC issued a directive prohibiting 26 online lending apps from processing personal information on charges of breaking the DPA. Download store Google Play then took down these apps from its platform to prevent any further users from accessing them.