Yearender
MANILA, Philippines – The year 2016 will go down in Philippine history as a year of successful cyber heists following two major hacking incidents that rocked the country in the first half of the year.
In February, hackers siphoned off some $101 million from the account of the Bangladesh bank at the Federal Reserve Bank of New York after gaining access to the bank’s security credentials that enabled the fraudulent money transfer.
News of the heist broke in the Philippines a month later after it was learned that as much as $81 million of the stolen money were transferred to various accounts at the Jupiter Street branch of the Rizal Commercial Banking Corp. (RCBC) in Makati City.
Also in March, an alleged voter database stolen from the website of the Commission on Elections (Comelec) was released following a breach on its online portal.
The poll body initially downplayed the breach, but concerns from various sectors grew when a user-friendly version of the database went online in April, a few weeks before the elections.
On the heels of the cybercrime incidents, the Philippine government continued to improve the country’s cybersecurity systems with the creation of the National Privacy Commission (NPC) and the passage of the law that created the Department of Information and Communications Technology (DICT).
Recently, the DICT said it was crafting the National Cybersecurity Strategy Framework 2022 to address online threats and ensure security of the Philippine cyberspace.
The Bangladesh heist
Various investigations were opened in connection with the Bangladesh bank heist, including those conducted by the Senate Blue Ribbon committee, the Anti-Money Laundering Council (AMLC) and the Bangko Sentral ng Pilipinas (BSP).
Reports on the heist showed that hackers gained access to the credentials of an operator at the Bangladesh bank, enabling them to authorize fraudulent payment orders amounting to over $1 billion from the bank’s account at the Federal Bank of New York.
A total of $101 million were transferred ($20 million to Sri Lanka and $81 million to the Philippines) before the Federal Bank stopped the transfers.
The money transferred to Sri Lanka was recovered, but not all of those sent to fictitious bank accounts in RCBC.
The Senate investigation revealed the money was transferred to remittance company Philrem, where it was converted to Philippine pesos, before being sent to various casinos.
Some $18 million have since been returned to the Bangladeshi government, with one report saying the AMLC has already accounted for around $60 million of the money, including those returned to Bangladesh.
‘Comeleak’
Charges were filed against the Comelec in June after the supposed leak of sensitive personal information of over 50 million voters, including names, addresses, birth dates and biometric information.
Jose Ramon Albert, a senior fellow of the Philippine Institute of Development Studies, filed a complaint before the privacy commission months after a searchable website (http://whaveyourdata.com) containing the information was created.
Albert, who served as secretary general of the National Statistical Coordination Board and a member of the advisory council of the United Nations Global Pulse, said Comelec failed to comply with the Data Privacy Act when it failed to disclose the nature of the breach.
Albert asked the NPC to compel Comelec to notify all affected subjects on the nature of the breach, information released and measures taken by the poll body to address the matter.
Security software company Trend Micro said cybercriminals can use the information gathered from the data breach to perform acts of extortion.
The security firm alleged the data leaked following the hacking of the Comelec website included sensitive personal identifiable information that puts every registered voter susceptible to fraud.
The Comelec later apologized for the breach, with the National Bureau of Investigation arresting hackers supposedly behind the incident.
West Philippine Sea
Several hacking incidents related to the territorial dispute in the West Philippine Sea were also reported last year.
In July, at least 68 Philippine websites were subjected to cyber attacks after the release of the ruling on the arbitration case filed by Philippines against China.
A high-level government source said the attacks included attempts of hacking and defacement, slowdowns and distributed denial of service attacks.
Also in July, a security firm traced a malware to China that supposedly tried to spy on the Philippine government and other parties related to the territorial dispute in the West Philippine Sea.
Finland-based cyber security firm F-Secure identified the malware as NanHaiShu (translated as South Sea rat), a Remote Access Trojan that can access information from infected computers to its command server.
F-Secure noted the malware was discovered to have attacked the websites of the Department of Justice, the organizers of the 2015 Asia-Pacific Economic Cooperation summit and meetings held in Manila, and an unidentified international law firm involved in the Philippine case against China.
DICT, privacy commission
Meanwhile, the government has officially established DICT and the NPC to address issues relating to ICT and data privacy.
Headed by former science undersecretary Raymund Liboro, the creation of the privacy commission was mandated by the Data Privacy Act signed in 2012.
The commission was tasked to develop and constantly review rules and regulations covering data privacy in the country, as well as serve as an advisory body on matters affecting the protection of personal data.
A quasi-judicial body, it is also tasked to monitor compliance on the provisions of the data privacy law and adjudicate complaints and investigations on matters affecting personal data.