Threat Actor: KryptonZombie | KryptonZombie
Victim: GCash KYC System | GCash
Price: Not specified
Exfiltrated Data Type: Mobile numbers, IDs used for Know Your Customer (KYC) processes, GSave account numbers linked to phone numbers, signatures, and selfie IDs
Key Points :
- An alleged data breach on the GCash KYC System was reported, attributed to the Philippine Statistics Authority and carried out by threat actor KryptonZombie.
- Around 100GB of compromised data was discovered, including sensitive information such as mobile numbers, IDs used for KYC processes, GSave account numbers linked to phone numbers, signatures, and selfie IDs.
- Over 200,000 data subjects have been compromised, with the possibility of more as the investigation continues.
Manila, Philippines – In late March to early April 2024, an alleged data breach, attributed to the Philippine Statistics Authority and reportedly carried out by threat actor KryptonZombie, was reported. Initial reports of this breach surfaced earlier in the year, but the Philippine Statistics Authority (PSA) initially denied any such incident. However, as our investigation progressed, more evidence emerged, revealing that the affected party was the GCash KYC System and the true extent of the breach.
This week, our team discovered a data repository associated with several threat actors that Philippine files had been uploaded. Upon inspection, we found that around 100GB of compromised data included sensitive information in GCash such as mobile numbers, IDs used for Know Your Customer (KYC) processes, GSave account numbers linked to phone numbers, signatures, and selfie IDs. Notably, a specific folder containing approximately 500,000 items, including selfies, IDs, and signatures, was identified.
During the initial investigation, we encountered a folder labeled Enhanced Customer Due Diligence (ECDD), but the application used to open it repeatedly crashed, suggesting the potential presence of extensive sensitive data. Another folder labeled “Upgraded” contained data as recent as June 2021, organized by dates of KYC completion, each linked to corresponding mobile numbers.
Following months of thorough investigation and waiting, our team successfully obtained a full copy of the leaked data, confirming earlier reports and underscoring the severity of the breach. Initial findings indicate that over 200,000 data subjects have been compromised, with the possibility of more as our investigation continues.
Deep Web Konek continues to as of this writing the investigation and has already reached out to GCash for confirmation and a statement regarding this data breach.