What You Need to Know About the Recent Data Security Incident

Media Statement relating to Data Security Incident (20 Feb 2021)

INCIDENT RELATED

I heard that there was unauthorized access to your Cashalo database. What happened?

On 18 February 2021, our IT security team discovered a data security incident involving illegal access to a Cashalo-only database archive. We immediately took the system offline, commenced investigations, self-reported it to the Philippines’ National Privacy Commission and took a number of steps to review and enhance our security measures.

How did Cashalo discover the breach/cyberattack?

Our IT security team discovered the data security incident on 18 February 2021, during the course of regular proactive monitoring.

What data is compromised by this incident?

This incident resulted in illegal and unauthorised access to a database archive which contained some personal data of Cashalo customers, including some combination of usernames, email, phone numbers, device ID and passwords. Our encryption implementation ensured that no customer accounts or passwords were compromised.

How do I know if my account was affected?

We will notify affected customers directly via email, and in-app notification about what personal details were accessed and how best they can manage the variable risks involved.

Our encryption implementation ensured that no customer accounts or passwords were compromised.

As a precaution, we encourage customers to change their password. Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone.

Is my Cashalo account safe to use? Will it be affected?

Yes. We have taken immediate measures to prevent unauthorised access to the database archive that was affected. Our operations are not affected and you may continue to access your Cashalo account safely.

As a precaution, we encourage customers to change their password. Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone.

For security tips to better protect yourself online, please see “What can I do to protect myself and my data?”.

Have you reported this to the authorities?

Yes, we have swiftly self-reported this incident to Philippines’ National Privacy Commission. We are also in touch with other relevant authorities, and will continue to work closely with them to resolve this matter swiftly.

SECURITY & PRECAUTION

What is Cashalo doing to protect its customers?

If your information was affected, we will reach out to you directly via e-mail. All Cashalo account passwords are protected by encryption. Our encryption implementation ensured that no customer accounts or passwords were compromised. As a precaution, we encourage customers to change their password.

Protecting the data and privacy of our users is our highest priority. We are working closely with the relevant authorities including the Philippines’ National Privacy Commission on this incident and remain committed to providing the necessary support to all our users.

What can I do to protect myself and my data?

Your existing Cashalo account password is protected by encryption. As a further security measure, we recommend that you change your password.

Please also continue to be on the alert for spam emails requesting personal or other sensitive information, as well as any unusual activity. Cashalo does not request customers to give their password information over email or phone. If you receive any calls claiming to be from Cashalo or Oriente asking for payment information, credit card numbers, or any other confidential information, you should hang up. Do not provide any information to the caller.

Some additional tips:

  • Never share confidential information with anyone over the phone, email or text, even if they claim to be someone you know.
  • Delete messages from numbers or names you do not recognise.
  • Change your passwords frequently, and avoid using the same email and password combination across different services.

Can I trust Cashalo with my data going forward?

Cashalo places great importance on protecting your personal information, and we value the trust you have placed in us. We want to be transparent about this incident with all of our customers and reassure you that we are taking it very seriously. We are fully committed to taking the necessary steps to minimize the risk of a similar incident occurring in the future.

How can I contact Cashalo if I have further questions/concerns?

For any concerns feel free to reach out to hello@cashalo.com or to our Data Protection Officers at dpo@cashalo.com and dpo@paloo.com.ph

What is Cashalo doing to help customers affected?

We apologize sincerely and unreservedly for this unfortunate incident and those impacted. Apart from reviewing and fortifying our security infrastructure, we are working very closely with the relevant authorities including the Philippines’ National Privacy Commission on this incident and remain committed to providing all necessary support to our users.

For those affected by this incident, an email has been sent to you informing you on the next steps.

Once again, we are truly sorry for any inconvenience and concern this may have caused. We assure you, our Cashalo community, that we are working together with the authorities and our partners to complete a thorough investigation and enhance our security policies and safety measures.

Cashalo places great importance on protecting your personal information, and we value the trust you have placed in us. We want to be transparent about this incident with all of our customers and reassure you that we are taking it very seriously.

About Cashalo

Cashalo is a fintech platform that delivers digital credit to Filipinos – helping them elevate their financial well-being. All loans under the Cashalo Platform are financed by Paloo Financing Inc., with SEC Registration No. CSC201800209 and Certificate of Authority No. 1162

Want to help accelerate financial inclusion in the Philippines? We’re hiring – jobs@cashalo.com

Address: 16F World Plaza, BGC, Taguig City, Philippines 1634