Manila, Philippines – An alleged data breach occurred in late March to early April 2024 which the Philippine Statistics Authority said was done by threat actor KryptonZombie. The early information regarding this breach was reported earlier this year but the Philippine Statistics Authority (PSA) dismissed it initially. But little by little, more information came out, and we learned that it was the GCash KYC System and the severity of the attack.
This week, our team found out that some Philippine files had been uploaded to a data repository linked with different threat actors. Out of the 100GB of affected data, the exposed information in GCash are mobile numbers, identification documents utilized during KYC, GSave account numbers associated with the phone numbers, signatures, and selfies. For instance, a specific folder with around 500 000 items among which were selfies, IDs, and signatures was revealed.
In the early stages of the research, there was a folder labeled Enhanced Customer Due Diligence (ECDD), the program used to open this folder continuously froze, implying the existence of more sensitive information. Another folder named ‘Upgraded’ also had data up to June 2021 which was bifurcated based on dates of KYC completion and each of them linked to the corresponding mobile numbers.
After several months of conducting research and waiting, our team was able to acquire an entire set of the leaked data, which substantiated initial findings and emphasized the extent of the leak. Preliminary results suggest that more than 200,000 data subjects have been affected and this can still grow depending on the ongoing probe.
The Deep Web Konek is still conducting its probe and has contacted GCash for verification and an official statement of this leaked information.
