Cashalo, a digital credit company in the Philippines which offers cash loans and other financial services to Filipinos, recently suffered a massive data breach that exposed millions of customer records on the dark web.
In an announcement posted on its website, Cashalo said that on 18 February, it suffered a major security breach that was discovered by IT personnel during the course of ‘regular proactive monitoring’. The security incident involved hackers gaining access to a Cashalo-only database archive which, according to the fintech company, "contained some personal data of Cashalo customers, including some combination of usernames, email, phone numbers, device ID and passwords."
Upon being informed by Cashalo about the breach, the National Privacy Commission (NPC) of the Philippines conducted a preliminary probe over the cyber attack and found that almost 3.3 million data records of Cashalo users were sold on the dark web by a user named “creepxploit”.
The NPC, along with Cashalo, confirmed that the leaked data included usernames, passwords, e-mail addresses, phone numbers, and device identifications available on two sites on the dark web. The hacker also provided sample data for potential buyers and raw data stolen from Cashalo's server were put up for sale on different dark web forums on 14th February.
Cashalo said in a statement that user passwords were encrypted and that no accounts were compromised as a result of the unauthorised access. “Our encryption implementation ensured that no customer accounts or passwords were compromised,” it said. As a precaution, the company has taken immediate measures to prevent unauthorised access to the archived database that was affected.
"Cashalo places great importance on protecting your personal information, and we value the trust you have placed in us. We want to be transparent about this incident with all of our customers and reassure you that we are taking it very seriously. We are fully committed to taking the necessary steps to minimize the risk of a similar incident occurring in the future," it said.
“The Commission continues to monitor and investigate the case in coordination with the parties involved. Rest assured that the NPC does not condone any data privacy and protection violations, whether committed with malice or due to negligence. We hope to bring clarity to the incident soon and better protect those whose data privacy rights may have been compromised by this incident,” NPC said.
Roren Marie Chin, the chief of the Public Information and Assistance Divison of the NPC, said that the data breach did not hamper daily operations at Cashalo and that users can access their Cashalo accounts safely. Affected customers will be notified by the company directly via email. Cashalo has advised all users to change their account passwords and will inform affected users about the nature of the stolen information via in-app notifications.
Commenting on the massive theft of customer data from Cashalo's database, Nicolai Baldin, CEO of Synthesized, said that data is the currency of the 21st century and the ever-increasing volume of breaches businesses are facing today shows that data is their most valuable asset.
“It is therefore imperative that organisations take steps to comprehensively secure their data while still enabling safe data access. This includes deploying the necessary security tools to prevent unauthorised access and also using data clean rooms as a secure way to collaborate on sensitive data,” he added.