Data of Filipino users from buy now, pay later lending (BNPL) app Cashalo, which is owned by Hong Kong-based Oriente, has been found for sale on the dark web, the country’s National Privacy Commission (NPC) reported Tuesday.

The personal data of the 3.3 million customers, including names, passwords, e-mails, phone numbers, and device identifications, have been posted by a user called “creepxploit” on sites like cybleinc.com and RaidForums. The person also provided “sample data” for potential buyers.

“Given the facts of the report, the user may have successfully downloaded files from the database of the application, which is still up for selling as of writing, February 22, 2021,” the NPC said in a statement released on Tuesday. The post had been live since February 14, 2021. However, based on KrASIA’s own findings, it was unavailable on RaidForums as of Tuesday.

The NPC launched a preliminary probe into Cashalo’s alleged breach after the fintech firm informed its office on Friday, February 19, indicating that its cybersecurity team discovered a “potential data security incident involving a Cashalo-only database archive.”

“An individual claimed to be in possession of a Cashalo customer database taken from a non-production system used by the company. This incident resulted in unauthorized access to a database archive that contained some personal data of Cashalo customers,” Karun Arya, Oriente’s VP of corporate affairs said in a statement.

Cashalo said it has since taken the system offline. The firm also assured that “no customer accounts or passwords were compromised” as the data is encrypted.

The rise of BNPL

BNPL apps, or online lending firms in general, have been under scrutiny of the NPC since they rose to popularity in the country, as some have been found to have lax data protection protocols.

In 2019, the agency shut down 26 online lending companies after customers reported that these firms illegally accessed their contact lists. The year after, the NPC has issued a circular explicitly prohibiting lending apps from “harvesting” personal information, such as phone and social media contact lists, to harass borrowers.

Just last week, the NPC recommended the criminal prosecution of an online lending firm called Fynamics Lending, which operates an online lending app that taps the users’ contact lists without permission. In order to pressure non-paying clients, the app would call their contacts to shame the loan defaulters.

Security experts have long called on more stringent measures to be imposed on lending apps for better consumer protection. The Manila-based Foundation for Media Alternatives, an NGO advocating for the right to information and to communicate, this month released a report lamenting the “opaque” underwriting processes of the apps.

“Token reminders about people needing to exercise more caution are ineffective and rather woeful,” it said. “Cybersecurity ought to be a priority, instead of an afterthought. Many technology enthusiasts commit this common mistake of thinking of technology solely in terms of convenience and profitability.”