Filipino online cash loan app Cashalo victimized in a data breach attack that entailed database records being peddled on the dark web.
Detected by Filipino NPC:
A statement issued by the Filipino National Privacy Commission(NPC) stated that they informed Cashalo about an initial investigation launched on the app’s data security issue.
When Cashalo’s IT security team found the potential data security issue, it was because of an individual claiming to have obtained the company database that was stolen from a non-production system used by Cashalo.
User data stolen and published on dark web:
According to Cashalo’s statements, the data breach attack on its database seemingly includes personal information of Cashalo customers comprising of user IDs, email IDs, encrypted passwords, phone numbers as well as system IDs. However, the company affirms that its encryption enforcement ensures that customer accounts and passwords were not compromised.
Quoting the opening detections, The NPC stated that Cashalo’s alleged publication of customer data on the dark web has been on multiple hacker forums since mid-February.
A certain cyber actor has been selling private data of more than 3 million Cashalo users. Observing the situation and analyzing the official reports, the cyber actor may have downloaded files from the company database.
Corporate Affairs of Oriente is the parent firm of Cashalo and after inquiring for clarifications, said the details of bad actors peddling the customer data were what their security team detected and that they are working in coordination with Cashalo to further investigate the data breach attack.
The NPC has also regulated with Cashalo through their Data Protection Officer to investigate the data breach attack and needed them to submit additional information.
NPC delivered that they intend to continue tracking and investigating alongside the victimized parties to uphold its mandate of “protecting the personal information of data subjects.”
The agency reported that unless they conclude the investigation and decision regarding Cashalo, they would refrain from commenting and delivering further details, especially in the case of liabilities, so as to not jeopardize the due operation.”