3.3 M Cashalo users’ data sold online – privacy body
The personal information of some 3.3 million users of lending application Cashalo were sold online, the National Privacy Commission (NPC) confirmed yesterday.
In a statement, the NPC said a certain user named “creepxploit” was selling data of millions of Cashalo users containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on two sites on the dark web.
“The user even provides sample data for potential buyers. Given the facts, it is suspected that the user successfully downloaded files from Cashalo’s own database, which signifies a potential breach on the application,” said the privacy body.
“NPC immediately reached out to Cashalo through their data protection officer to relay the incident and required them to provide additional information. The commission received Cashalo’s breach report last Feb. 19,” it added.
NPC chief of public information and assistance division Roren Marie Chin urged Cashalo subscribers to contact the data privacy officer of Cashalo or wait for their notification if they are included in the affected accounts.
“In the meantime, be vigilant on the accounts connected with the platform. Change passwords and implement other security measures,” she added.
The privacy body said it continues to monitor and investigate the case in coordination with the parties involved, stressing that it does not condone any data privacy and protection violations.
Cashalo earlier reported a potential data security breach involving its database archive, but added that its “encryption implementation ensured that no customer accounts or passwords were compromised.”
The fintech company has yet to comment on the latest statement by the privacy body.