Cashalo hit with data breach, but says accounts not compromised | Philstar.com

MANILA, Philippines — Fintech platform Cashalo reported Saturday it has been hit by a data breach, but assured that accounts and passwords of their users have not been compromised as these have been encrypted.

Cashalo said it discovered two days ago that there was “unauthorized access” to a database archive containing some personal data of their customers, including some combination of usernames, email addresses, phone numbers, device IDs and encrypted passwords.

The mobile-first lender, a joint venture of JG Summit subsidiary Express Holdings Inc. and Oriente, said this was due to an individual who claimed to be in possession of a customer database taken from its “non-production system.”

ADVERTISING

The fintech platform said that it has since taken the system offline, started investigations and is working closely with cybersecurity experts and relevant authorities, including the National Privacy Commission.

Cashalo said its teams are still determining the extent of the data breach and that it is informing affected users.


“We apologize sincerely and unreservedly for this unfortunate incident and those impacted,” Cashalo said in a separate statement posted Saturday midnight on its Facebook page.

The NPC said Friday evening in a statement that it is investigating reports that client data from Cashalo is being sold on the dark web.

The commission refused to give out further details to “avoid jeopardizing the investigation process.” — Xave Gregorio