Hacker stole 3.3m customer data records from Filipino loan firm Cashalo

Hacker stole 3.3m customer data records from Filipino loan firm Cashalo

Hacker stole 3.3m customer data records from Filipino loan firm Cashalo

Cashalo, a digital credit company in the Philippines which offers cash loans and other financial services to Filipinos, recently suffered a massive data breach that exposed millions of customer records on the dark web.

In an announcement posted on its website, Cashalo said that on 18 February, it suffered a major security breach that was discovered by IT personnel during the course of ‘regular proactive monitoring’. The security incident involved hackers gaining access to a Cashalo-only database archive which, according to the fintech company, “contained some personal data of Cashalo customers, including some combination of usernames, email, phone numbers, device ID and passwords.”

Upon being informed by Cashalo about the breach, the National Privacy Commission (NPC) of the Philippines conducted a preliminary probe over the cyber attack and found that almost 3.3 million data records of Cashalo users were sold on the dark web by a user named “creepxploit”.

The NPC, along with Cashalo, confirmed that the leaked data included usernames, passwords, e-mail addresses, phone numbers, and device identifications available on two sites on the dark web. The hacker also provided sample data for potential buyers and raw data stolen from Cashalo’s server were put up for sale on different dark web forums on 14th February.

Cashalo said in a statement that user passwords were encrypted and that no accounts were compromised as a result of the unauthorised access. “Our encryption implementation ensured that no customer accounts or passwords were compromised,” it said. As a precaution, the company has taken immediate measures to prevent unauthorised access to the archived database that was affected.

“Cashalo places great importance on protecting your personal information, and we value the trust you have placed in us. We want to be transparent about this incident with all of our customers and reassure you that we are taking it very seriously. We are fully committed to taking the necessary steps to minimize the risk of a similar incident occurring in the future,” it said.

“The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” NPC said.

Roren Marie Chin, the chief of the Public Information and Assistance Divison of the NPC, said that the data breach did not hamper daily operations at Cashalo and that users can access their Cashalo accounts safely. Affected customers will be notified by the company directly via email. Cashalo has advised all users to change their account passwords and will inform affected users about the nature of the stolen information via in-app notifications.

Commenting on the massive theft of customer data from Cashalo’s database, Nicolai Baldin, CEO of Synthesized, said that data is the currency of the 21st century and the ever-increasing volume of breaches businesses are facing today shows that data is their most valuable asset.

“It is therefore imperative that organisations take steps to comprehensively secure their data while still enabling safe data access. This includes deploying the necessary security tools to prevent unauthorised access and also using data clean rooms as a secure way to collaborate on sensitive data,” he added.

Also Read: 8 Brits used sim swapping attacks to steal over $100m from celebrities in the US

Copyright Lyonsdown Limited 2021

Top Articles

No More Ransom initiative cut ransomware industry's profits by £850m

The No More Ransom initiative has helped more than six million people to recover their files in the aftermath of ransomware attacks

TikTok fined €750,000 for violating children’s privacy

The Dutch Data Protection Authority has imposed a fine of €750,000 on TikTok for violating the privacy of young Dutch users. TikTok provided their privacy statement in English rather than…

New Zealand accuses China of sponsoring a range of malicious cyber attacks

New Zealand has accused China of sponsoring malicious cyber activity carried out by a nation state actor known as APT40.

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]