MANILA, Philippines — Sy-led BDO Unibank has agreed to reimburse the financial losses of close to 700 clients affected by massive online hacking incidents over the past few days, which resulted in several unauthorized electronic fund transfers.
In a statement, the country’s largest bank has instructed affected depositors to submit the required documents to their respective branches.
“We have requested our clients to go to their branch of account and submit documentation to get the refund. The bank will shoulder the losses perpetuated by this cybercrime incident,” BDO said.
The listed bank owned by the family of the late retail and banking magnate Henry Sy continues to work closely with the appropriate authorities and the Bangko Sentral ng Pilipinas (BSP).
Even as BDO has agreed to reimburse the victims of the hacking incidents, the BSP still created a task force composed of cyber and anti-money laundering experts to look into the online hacking incidents.
BSP Deputy Governor Chuchi Fonacier of the central bank’s Financial Supervision Sector (FSS) is the head of the task force, together with BSP director Melchor Plabasan of the Technology Risk and Supervision Department (TRISD) and the Anti-Money Laundering Council (AMLC).
“We are forming a task force composed of cyber and anti-money laundering specialists and legal officers to determine the root causes and possible control lapses involving the incident,” BSP Governor Benjamin Diokno told reporters.
The BSP chief has given the task force 30 days to complete their investigation and submit recommendations on possible sanctions if there are indeed lapses.
“Guided by relevant laws and regulations, penalties and/or sanctions may be imposed depending on results of the examination,” Diokno said.
Over the past few days, several BDO depositors took to social media to report that their accounts have been hacked, resulting in losses of between P25,000 to P50,000, which were transferred to various accounts owned allegedly by one Mark Nagoyo in Aboitiz-led Union Bank of the Philippines.
Diokno said BDO informed the regulator that the incident affected a 10-year-old web service that is due for phaseout early next year.
“BDO confirmed in their statement that the incident emanated from a 10-year-old service that is due for phaseout early next year. What we also know is that some affected customers reported they did not click any links, nor were they asked to supply sensitive information. So we are in close coordination with BDO and we’ll update the public on this matter,” he said.
The BSP has already directed both banks to put in place remedial measures including the reimbursement of the losses incurred by the depositors due to the unauthorized fund transfers due to the “sophisticated fraud technique.”
“Getting to the bottom of this will entail a complex cyber forensic investigation to determine the actual number of affected customers and how much they lost from this fraud,” Diokno said.
More victims are sharing stories how their accounts were hacked, some of them have joined the Mark Nagoyo BDO Hacked Facebook group that has now more than 5,000 members.
For one, a certain Josh Sta. Lucia said P111,240 was stolen from his account via fund transfer on two separate transactions after he received a call from BDO regarding problems with one-time-PIN (OTP) a week before the incident.
Sta Lucia claimed a manager from a local branch called him two days before the incident and instructed him to update his contact details.
“On the day of the incident, somebody from BDO called me telling me to fix my problem with OTP and that she walked me thru. Since she is calling from BDO, I followed every instruction and without my knowledge she is manipulating my account,” Sta. Lucia shared.
Sta. Lucia reported the incident with the Philippine National Police (PNP) as well as the National Bureau of Investigation (NBI).
The country’s largest bank has vowed to reimburse the losses of innocent account holders.
“They (BDO) have assured us, however, that affected customers shall be duly reimbursed for the losses and we will make sure that this happens as soon as possible,” Diokno said.
According to the BSP chief, the regulator would also look into other vulnerabilities in the system.
“The BSP will also investigate this incident to identify vulnerabilities and non-compliance with expectations in managing cyber and anti-money laundering related risk,” Diokno warned.
Meanwhile, UnionBank said it stands in solidarity with the entire banking industry and the relevant government agencies in the fight against cybercrimes.
“We are collaborating closely with BDO with their investigation of recent fraudulent activities and have already taken immediate action on identified accounts. We are likewise working with law enforcement agencies and will not hesitate to take the appropriate legal action against individuals who use their accounts to facilitate criminal activities,” the Aboitiz-led bank said in a statement.