The other day, Anakalusugan representative Michael “Mike” Defensor warned that cybercriminals involved in hacking BDO Unibank Inc.’s deposit accounts risked facing charges of economic sabotage, with penalties ranging from life imprisonment to a fine of up to 5 million pesos, declaring breaking into a bank’s computer system and stealing money from more than 50 deposit accounts constitutes economic sabotage .
Defensor was referring to Republic Law 11449, the 2019 law that increased penalties for the illegal use of electronic access devices such as cards, codes, personal identification numbers (PINs) , usernames and passwords, among others.
The hack was discovered after more than 700 BDO depositors reported unauthorized Instapay transfers from their accounts to a fictitious “Mark Nagoyo” account at Union Bank of the Philippines, although the exact number number of accounts and the total amount of money stolen by hackers remains unclear as the two banks refused to disclose further details of the hacking incident.
However, a report suggested that at least P5 million of the stolen funds were subsequently hidden by cryptocurrency cybercriminals.
While no arrests have yet been made, UBP announced that it had already identified at least six people suspected of complicity in the hacking of BDO accounts the previous weekend.
BDO also revealed that it has already identified the technology and web service involved in the hack, effectively stopping the bleeding.
But while everyone is focusing on cybercriminals, a source within the IT industry suggested that the Bangko Sentral ng Pilipinas should be stricter on the service providers that banks hire.
According to the source, the leak was clearly from the service providers the two banks employ.
“The web is vulnerable to piracy. This is why we in the IT industry are initiating additional layers of security measures to keep our customers safe, ”the source said.
“But if you look at it, as businessmen grapple with stringent requirements to secure all the requirements necessary to engage in banking, the industry is pretty lenient in hiring their respective service providers. And they have a crucial role to play in securing the accounts of the bank’s customers, ”the source said.
According to early reports, customers weren’t victims of phishing scams because they didn’t click on suspicious links or provide sensitive information through a website.
The National Privacy Commission, which also raised its hand in the investigation, said it was considering a possible personal data breach in BDO.
“Thus, the banking industry should become more stringent in the process of securing the services of its service providers, and these service providers should be regulated by the BSP and should even obtain accreditation to engage in IT services from n ‘any bank,’ the source said.
Additionally, Defensor suggested to BSP to require banks to systematically put themselves on high alert against potential cybercrime activity on weekends and holidays.
“We already know that most cyberattacks on banks happen on weekends and holidays, so the practical solution for them is to increase their vigilance in these downturn days,” Defensor said.
“We also want banks to end their practice of going slow when it comes to providing customer support on weekends and holidays,” Defensor said, adding that banks need to respond instantly. customer complaints about a possible hacking of their bank or their credit. card accounts 24 hours a day, seven days a week.
Defensor also said it expects the BSP and NPC to separately issue administrative fines on banks whose IT systems have been breached and depositors have lost money as well as sensitive personal information.
“These administrative fines are absolutely necessary to force banks to constantly find ways to protect their systems and protect their customers,” Defensor said.
“In fact, it is not true that the banks themselves absorb the financial losses from cyber attacks,” Defensor said.
All depositors end up paying a bank’s financial losses when money from an account is stolen, according to Defensor.
“In fact, every time banks ask for an increase in their withdrawal or credit card fees from ATMs, they always claim they need higher fees to pay for financial losses due to fraudulent transactions,” Defensor said.
Be tough on cybercriminals, tougher on banking service providers, but also make sure banks are held accountable for incidents like these.