Service interruptions
During its surge of popularity from 2017 to 2020, GCash experienced multiple service interruptions lasting between one and eight hours.[16]
There have also been reports of fraud and scams that specifically targeted GCash users, most notably involving phishing activities. In response, GCash launched "Double Safe" in 2023 which requires facial identification from customers.[17]
2023 unauthorized transactions
On May 8, 2023, when hundreds of users, reported missing funds from unauthorized bank transfers.[18][19] By midnight of May 9, the GCash app had shut down and a full-banner error message that read "We're just working on improving your experience. Rest assured that your funds are safe" was displayed.[20]
Around 300 victims formed a group chat and alleged hacking, but GCash denied that such an incident occurred and stuck to the same messaging that all funds were secure, even after its own admission that sums of money were funneled by an undisclosed malicious actor to two accounts in EastWest Bank and Asia United Bank without customer permission.[21] In a statement, GCash wrote:"Some customers may have experienced a deduction in their GCash accounts. We extended our scheduled maintenance to investigate and determined that no hacking occurred."As of 4:00 pm PHT of May 9, GCash said it has already adjusted the balance of affected users, and added that the app is operational again after an hours-long downtime.[22] Users and government regulators remained unhappy without the public disclosure of a comprehensive investigation's findings. House Deputy Minority Leader Bernadette Herrera-Dy of Bagong Henerasyon filed House Resolution No. 963 which seeks for a congress-led probe because she was not satisfied with GCash's non-explanation of what caused the anomalous transactions.[23]
The Cybercrime Investigation and Coordinating Center, an attached agency of the Department of Information and Communication Technology, probed the incident and requested a meeting with executives from the mobile wallet's operator.[24] The National Privacy Commission mentioned that they, too, will be conducting an independent assessment to determine a potential data breach that may have resulted to unauthorized fund transfers.[25]
On May 24, 2023, the National Privacy Commission concluded its extensive investigation into the reported unauthorized transactions involving multiple GCash accounts. Following a thorough examination and independent verification of the incident, the NPC confirmed that the security breach resulted from phishing attacks. According to the Privacy Commissioner, John Henry Du Naga, "Unknown threat actors took advantage of vulnerable GCash users, triggering the phishing scheme through online gambling websites such as 'Philwin' and 'tapwin1.com.'"[26]