NPC finds data breach in cash-loaning app


The National Privacy Commission (NPC) said its initial findings showed data breach on cash-loaning application Cashalo where a certain user was found selling personal information of 3.3 million users.

NPC said this following its preliminary probe on the data security issue of Cashalo, which is operated by Oriente Express Techsystem Corporation.

In a statement, NPC said that based on initial findings, the post of data-dumping of the said application on the dark web has been on different cyber forums since February 14, 2021. A certain user under “creepxploit” sells data of 3.3 million users of Cashalo containing their usernames, passwords, e-mail addresses, phone numbers and device identifications on the dark web as shared in a post on

cybleinc.com and RaidForums – even provided sample data for potential buyers.

Given the facts of the report, NPC said the user may have successfully downloaded files from the database of the application, for which is still up for selling as of writing, February 22, 2021.

NPC had already reached out to Cashalo thru their Data Protection Officer (DPO) to coordinate this incident and required them to provide additional information. Likewise, the Commission received the breach report file by Cashalo via email last February 19, 2021.

NPC also advised subscribers to contact Cashalo DPO or wait for their notification if they are included in the affected accounts.

In light with this, NPC said it will further monitor and investigate in cooperation with the parties involved -- upholding its mandate in protecting personal information of data subjects.