BPI on June 6 glitch: ‘100% not a hack’

Gelo Gonzales
BPI says an overzealous programmer is responsible for the system glitch that affected 1.5 million of its 8 million clients

MANILA, Philippines – The Bank of the Philippine Islands (BPI) assured a Senate panel on Wednesday, June 21, that its recent system glitch was “100%” not a case of hacking. (Read: BPI system glitch causes mispostings on client accounts)

At a Senate inquiry on the technical glitches at the BPI and BDO Unibank on Wednesday, BPI executives took turns explaining that their cybersecurity systems were in place, and that there was nothing “aberrant” across multiple cybersecurity fronts. 

“Your honor, [we are] 100% definite it is not a hack,” BPI executive vice president for enterprise services Ramon Jocson said at the Senate probe into the bank’s system glitch that caused unauthorized transactions in many of its clients’ accounts.

Jocson also said that BPI consulted its two third-party service providers, FireEye Mandiant and IBM, which did not find hacking concerns relating to the glitch.

FireEye Mandiant, a cybersecurity vendor, uses tools to “look out for any noise” while IBM  manages BPI’s cybersecurity operations.

Jocson was responding to questions from Senator Francis Escudero, chairman of the committee on banks, financial institutions and currencies, which conducted the inquiry.

BPI President and CEO Cezar Consing told the Senate panel that about 1.5 million of BPI’s 8 million clients were affected by the glitch.

Programmer’s error

During the hearing, Consing said the glitch was due to human error – a programmer had inputted bank transaction data under the wrong dates.

This human-caused “internal data processing error” led to account balances being updated using transactions from another date (April 27 to May 2) instead of June 6, the day when the incorrect account balance postings began. 

In response to Senate Minority Leader Franklin Drilon, Consing said that the concerned programmer had a “lapse in judgment” and had no malicious intent, especially as the person “had nothing to gain at all” from such an error.  

Jocson said it was “pinpointed that this person was to blame” and that the programmer “owned up to committing the mistake.”

BPI executives did not name the programmer but referred to the person as “she” during the course of the inquiry. She had been with BPI for 3 years, and was at the “top of her programming class.”

Jocson said the error was the product of the programmer’s “zeal to do things faster.”

Asked what sanctions the programmer faced, BPI executives said their internal investigation was still ongoing.

“Until this [investigation] is concluded, said person has been reassigned to another area, and all her access rights to our system had been taken out,” Jocson said.

BPI executives revealed during the inquiry that their cybersecurity operation center tracks “20,000 events per second.”

A person logging in to their online banking system, transactions through a teller – these are counted as some of the events that the system counts. The operation center uses tools to identify “aberrant behavior” in these events. BPI said that no such behavior was detected relating to the incident. 

A breach or a hack, BPI told the Senate panel, would have an effect on the data traffic within their systems that they would have seen or noticed. It said no such aberrations were seen in the traffic that would have pointed to a cybersecurity concern. – Rappler.com

 

Gelo Gonzales

Gelo Gonzales is Rappler’s technology editor. He covers consumer electronics, social media, emerging tech, and video games.