Privacy body starts probe into BDO hacking incident

MANILA, Philippines — The National Privacy Commission said Wednesday it is investigating a massive fraud that hit BDO Unibank Inc. which saw hundreds of the bank’s clients complaining about unauthorized transactions that siphoned out their money.

The probe started last December 11 and would also touch on the Sy-led bank's decade-old system — which is set to be replaced next year — to see if it was equipped with necessary defenses against cybercrimes, Privacy Commissioner John Henry Naga said in a statement.

But more importantly, Naga said the investigation would zero in on any violations of the Data Privacy Act. The online fraud — which happened amid the Christmas shopping season — affected close to 700 clients of BDO. The Philippines’ largest bank in total asset terms is now processing the reimbursements of compromised accounts.

"The NPC also looks into the relevance of BDO’s 10-year-old system to the alleged security incident and to determine whether sufficient technical, organizational, and physical safeguards were in place to prevent unauthorized disclosure of personal information that may have been contained in the system," Naga said.

The NPC noted that under their Rules of Procedure, a sua sponte investigation allows them to probe the cybercrime without the need for a formal complaint from the public or a third party.

Apart from BDO, the NPC also asked Union Bank of the Philippines to explain to the commission the incident after some BDO clients reported that their money were illegally transferred to a UnionBank account under the name "Mark Nagoyo" and were used to buy cryptocurrency. Both banks have been required to provide “additional information, documents, evidence, or witnesses,” as may be necessary for the investigation.

"NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident," Naga said.

For its part, BDO confirmed it is coordinating with authorities. The Bangko Sentral ng Pilipinas has formed a team to investigate the cybercrime. A central bank official said authorities have identified two to four hackers behind the online fraud.

"We will reach out as new information becomes available. In the meantime, we assure you that the Bank is working closely with authorities," Honey Reyes, senior assistant vice president at BDO, said.