Cyber Incident Victim: Cashalo

In February 2021, the National Privacy Commission (NPC) of the Philippines identified a data breach involving Cashalo, a cash-loaning application operated by Oriente Express Techsystem Corporation. The breach came to light during the NPC's preliminary investigation into data security issues reported on the platform. Initial findings revealed that an individual had offered personal information belonging to 3.3 million Cashalo users for sale on dark web cyber forums. The data-dumping activity was first observed in posts dated February 14, 2021, across multiple underground platforms. The NPC confirmed the unauthorized disclosure of user data through these illicit channels but did not specify the exact types of compromised information in its initial statement. The commission’s probe focused on validating the breach’s scope and origin following reports of the dark web listings.

The incident exposed sensitive personal data of millions of users, though the NPC did not publicly detail the specific categories of information involved. In response to the breach, the NPC issued an official statement outlining its preliminary findings and confirming the unauthorized data sale. The regulatory body initiated its investigation promptly after discovering the dark web posts, emphasizing the breach’s occurrence across multiple cybercrime forums. No additional technical details regarding the breach methodology—such as exploitation vectors or system vulnerabilities—were disclosed in the initial report. The confirmation of 3.3 million affected users highlighted the scale of the incident, marking one of the significant financial data breaches in the Philippines that year. The NPC’s public disclosure aimed to inform impacted individuals while its investigation remained ongoing.