Bangko Sentral ng Pilipinas (BSP), the country’s central bank, formed a new task force to probe into recent hacking incidents targeting BDO Unibank, the country’s largest lender.
The new task force includes Deputy Governor of the Financial Supervision Sector Chuchi Fonacier, Technology Risk and Innovation Supervision Director Mel Plabasan, and the Anti-Money Laundering Council (AMLC).
On December 12th, social media was awash with complaints from customer who woke up to their accounts losing as much as $2,000, with some discovering that their accounts transferred the money to UnionBank accounts.
In a Facebook group labeled “Mark Nagoyo BDO Hacked”, users posted screenshots of online bank transfers to UnionBank accounts under the name Mark Nagoyo. Users also expressed that they did not click on any links or receive any SMS or One-Time Pin (OTP) prompts to approve the transaction. “Nagoyo” in Tagalog literally means “scammed” or “fooled.”
The number of complaints to BSP has grown dramatically over the last few days, with many users expressing irritation on social media platforms. According to BSP Governor Benjamin Diokno, they have been closely monitoring the situation and ensure the protection of financial consumers.
“We are in close coordination with BDO as well as UBP (UnionBank of the Philippines) on this incident to ensure that remedial measures are being undertaken, including reimbursement of affected consumers,” Diokno said in a statement on Sunday.
The same day, BDO released its own statement saying that the incidents are part of a “sophisticated fraud technique”, and announced that innocent clients will be reimbursed for their losses.
“We at BDO are continuously investing and working towards improving our security infrastructure to protect our clients’ money. While we have put back-end measures in place, we appreciate our clients’ continued vigilance to combat fraud,” the firm said while reminding customers to strengthen and change their passwords.
BDO Bank president Nestor Tan stated that the incident “affects a ten-year-old web service that is for phaseout,” and that a replacement should be available in early 2022.
In a conversation with the Inquirer, the National Privacy Commission (NPC) also said it would investigate reports of data security breaches that resulted in the unauthorized withdrawals from BDO and the use of “mule” accounts at UnionBank.