Cashalo hit by data breach, says customer accounts safe

Metro Manila (CNN Philippines, February 20) — The online lending platform Cashalo has reported an “unauthorized access” to a database that contained some personal data of its customers, but assured that accounts or passwords were not compromised.

“We deeply regret that less than 48 hours ago, our IT security team discovered a potential data security incident involving a Cashalo database archive,” read a statement posted on Cashalo’s Facebook page past 12 a.m. on Saturday.

“Our encryption implementation ensured that no customer accounts or passwords were compromised,” Cashalo said, adding that it took immediate actions and reported the incident to the National Privacy Commission. 

Cashalo said it is now cooperating with authorities and its partners to complete the investigation and enhance its security and safety measures.

“We apologize sincerely and unreservedly for this unfortunate incident and those impacted,” Cashalo said. “For those affected by this incident, an email has been sent to you informing you on the next steps.”

In a separate statement Friday night, the NPC said it has come to its attention "that client data from Cashalo is being reportedly sold on the dark web."

"Rest assured that the Commission has already started investigating this matter," the regulator said.

On its website, Cashalo said thousands of Filipinos are using its financial services mobile app which was developed by Oriente Express. This is a partnership between Express Holdings, Inc., a subsidiary of the Gokongwei Group’s JG Summit Holdings, Inc., and Hong Kong-based Oriente.