The other day, Anakalusugan Rep. Michael “Mike” Defensor warned the cybercriminals involved in the hacking of BDO Unibank Inc. deposit accounts are bound to face economic sabotage charges, with penalties ranging from life sentence plus a fine of up to P5 million, saying the act of breaking into a bank’s computer system and stealing money from more than 50 deposit accounts constitutes economic sabotage.
Defensor was referring to Republic Act No. 11449, the 2019 law that increased the penalties for the unlawful use of electronic access devices such as cards, codes, personal identification numbers (PINs), user names, and passwords, among others.
The hacking was discovered after more than 700 BDO depositors reported unauthorized Instapay transfers out of their accounts to the fictitious account of a certain “Mark Nagoyo” with Union Bank of the Philippines, although the exact number of accounts and the aggregate sum of money stolen by the hackers remain unclear as both banks refused to divulge further details on the hacking incident.
However, one report suggested that at least P5 million of the stolen funds were subsequently stashed by the cybercriminals in cryptocurrency.
While no arrest has yet been made, UBP has announced it has already identified at least six persons suspected of complicity in the hacking of BDO accounts the previous weekend.
BDO also bared it has already identified the tech and web service involved in the hack, effectively stopping the bleeding.
But while everyone’s focus is on the cybercriminals, a source within the IT industry suggested that the Bangko Sentral ng Pilipinas should go stricter on the service providers the banks hire.
According to the source, the leak obviously came from the service providers the two banks employ.
“The web is vulnerable to hacking. That’s why we in the IT industry engage additional layers of security measures to ensure security for our clients,” said the source.
“But if you will look at it, while businessmen are saddled with strict requirements in securing all the requirements necessary to engage in the business of banking, the industry is quite lenient in hiring their respective service providers. And they have a crucial role to play in securing the accounts of the bank’s clients,” said the source.
Based on initial reports, customers were not victims of phishing scams, as they did not click on suspicious links or provide sensitive information through any website.
The National Privacy Commission, which also dipped its hands in the investigation, said it is looking at a possible personal data breach in BDO.
“Thus, the banking industry should get stricter in the process of securing the services of their service providers, plus these service providers should be regulated by the BSP and should even secure accreditation to engage in any bank’s IT services,” the source stressed.
Additionally, Defensor suggested for the BSP to require banks to routinely go on high alert against potential cybercriminal activities on weekends and holidays.
“We already know that most cyberattacks on banks happen on weekends and holidays, so the practical solution is for them to heighten their vigilance on these slow days,” Defensor said.
“We also want banks to put an end to their practice of going on slow mode when it comes to providing customer support on weekends and holidays,” Defensor said, adding that banks must respond instantly to customer complaints of potential hacking of their bank or credit card accounts 24 hours a day, seven days a week.
Defensor also said he expects the BSP and the NPC to separately impose administrative fines on banks whose computer systems were breached, and whose depositors lost money as well as sensitive personal information.
“These administrative fines are absolutely necessary to compel banks to constantly find ways to protect their systems and safeguard their customers,” Defensor said.
“Actually, it is not true that the banks themselves are absorbing the financial losses from cyberattacks,” Defensor said.
All depositors end up paying for a bank’s financial losses when money from an account gets stolen, according to Defensor.
“In fact, every time the banks seek an increase in their automated teller machine withdrawal or credit card fees, they always claim that they need the higher charges to pay for financial losses due to fraudulent transactions,” Defensor said.
Go harsh on cybercriminals, stricter on banks’ service providers but also make sure banks are held liable for incidents like these.