In my Mandatory Continuing Legal Education (MCLE) lecture last February 11, 2022, for the Legal Management Council of the Philippines (LMCP), I used this hacking scandal that hung over the Christmas holidays last year as a case study of how not having data security can lead to data privacy violations. Sure, the NPC as of its last pronouncement on this matter had never really come out in the open to declare that this incident resulted in a data privacy breach.

Briefly, over 700 BDO online bank depositors had money stolen from their bank accounts ranging from P 25,000 to as much as P 100,000 starting from November 29 to December 9, 2021. All the victims never received any One Time Pin (OTP). They just received messages that someone has logged into their account. Some of them received email alerts that a new device was added or a password had changed without receiving an SMS prompt or OTP. These alerts came together with the notifications of the fund transfer. Some of them got charged more than the daily limit of P 50,000. It was revealed that a UnionBank Account #1094211022533, to which the funds were diverted, was used to buy Bitcoin worth P5M pesos from the cryptocurrency market on December 11. This was traced to an account name "Mark Nagoyo".

WHY WAS THIS A CASE OF DATA PRIVACY BREACH?

One of the victims, Ellard Chua who lost P50,000 in the attacks, claimed that the criminals tried to put the blame on him by naming him in a doxxing campaign. He told ABS-CBN and Manila Bulletin that the perpetrators attached his name to one of the UnionBank accounts, and released his work number, making it appear he received money from the victims.

"If they've seen my name in their BDO emails saying money was transferred to Ellard Chua, then I am telling them na nothing was transferred to my account…Somebody used my name. I am not sure why they chose my name. But the beneficiary account number is not mine and not a single peso went into my account". This was his FaceBook statement about the incident:

ABS-CBN also found three other victims who had the same experience Chua had. One of them was Charisse Matanguihan, whose name and phone numbers were also used by the criminals as the alleged recipient of stolen money from BDO accounts. She had received death threats because of this. She had posted in her FaceBook account her story about the incident, and attached the text messages she received and other relevant documents that prove her side. These are some of them:

THE MOST CONVINCING PROOF THAT THE BDO HACKING WAS A DATA PRIVACY BREACH

The police arrested several members of a syndicate group comprising of Nigerians and Filipinos who worked together. They opened BDO accounts using fake documents. One member created a hacking software. His name is Clay Revillosa who said to NBI:

"Pinapasok ko po 'yong website and then naglalagay ako ng backdoor and then ilalagay ko ng isang extracting tool na para sa database para i-extract mga information ng mga tao."

Source: NBI Arrested 4 Alleged Suspects of BDO Missing Money, January 21, 2022, https://philnews.ph/2022/01/21/4-suspects-behind-unauthorized-bdo-transfers-arrested-by-nbi/

THE EVIDENCE INDICATE

Clearly, this was no phishing or smishing attack that can be blamed on the depositors. This was a directed attack against the insecure BDO online website, via software that was able to establish a backdoor into the BDO online bank system, extract the personal information of certain individuals, who had enough money on their accounts that were sufficient for the criminals to take.

The fact that the criminals were able to get the names and work phone numbers of some of the victims, which they used to thwart or divert suspicion and attention from themselves is proof that the hacking software that Clay Revillosa admitted to have made was quite effective in ferreting the personal, sensitive and confidential information of BDO depositors who were their subject victims. There is no point in delaying the finding that there was a data privacy breach, because the victims had already suffered from the effects of such breach.

This is also an overwhelming indication of the insecurity of the 10 year old online BDO banking system. The weakness of such system had been known for quite sometime in the business and tech community.

In fact, bitpinas published an article with a screenshot of the comments of several people who were not happy about the perception that cryptocurrency, and UnionBank share some of the blame in the hacking incident (https://bitpinas.com/fintech/crypto-community-bdo-hack-incident/). No one should be blamed but the apparent gross negligence of the BDO management, particularly its CISO/CIO/CTO/CDO, and to a certain extent its DPO. This was a spectacular failure of the C-Suite executives and the Compliance Officer of not complying with the legal obligations under R.A. 10173, and the technical and industry standards and protocols that cover data security.

This was one of several case studies I presented for LMCP members, who comprise some of the legal luminaries in the Philippines. I desire to give a shout out in particular to one lawyer. I have always asked, declared, and wished that some lawyers would attend my lectures in formal wear. And in this sort of global lock down that we are still experiencing, my wish came true!

Kudos to Atty. Gabionza for looking so dashing and dapper in his tuxedo! He said he had a speaking engagement after my lecture, and it must have been some kind of engagement! And of course, thank you to all the 133 lawyers who attended and the UPIAJ staff who handled the technological logistics for this event.

 This free site is ad-supported. Learn more