The National Privacy Commission (NPC) is looking into BDO’s 10-year-old system as part of its investigations on the possible personal data breaches in the recent BDO hacking.
“The NPC also looks into the relevance of BDO’s 10-year-old system to the alleged security incident and to determine whether sufficient technical, organizational, and physical safeguards were in place to prevent unauthorized disclosure of personal information that may have been contained in the system,” the privacy body said on Wednesday, December 22.
The bank’s president Nestor Tan was quoted in a December 13 article by the Philippine Daily Inquirer saying that the incident “affects a 10-year-old web service that is for phaseout” with a replacement said to be available early next year.
The statement has garnered criticism online, with netizens questioning why a bank would be relying on what looks to be an old system. The cybersecurity landscape is often looked at as an arms race, with hackers constantly looking for ways to defeat security systems in place.
BSP Governor Benjamin Diokno had also earlier said the hack was likely made possible due to a 10-year-old BDO service due for phaseout in 2022.
Based on initial reports, customers were not victims of phishing scams, as they did not click on suspicious links or provide sensitive information through any website.
The NPC said it began its investigations on December 11, with the goal of determining the “full extent of the compromise and any violations of the Data Privacy Act.”
Notices were issued to both BDO and Unionbank on December 13 to provide information, documents, evidence, or witnesses relating to the “serious security incident.”
The government body is set to meet with the banks on January 4, 2022 for a “clarificatory conference” to “verify and clarify the evidence submitted by the banks in relation to the investigation.”
On December 14, BDO said it was processing the reimbursement of about 700 hacked clients. The bank also denied social media reports that it had updated its terms and conditions regarding a liability clause that states it is not liable for any losses arising from improper or fraudulent access to online banking accounts. The bank said the clause had been present “for a long time.” – Rappler.com