BSP sanctions BDO, UnionBank for hacking incident
The Bangko Sentral ng Pilipinas (BSP) has approved to slap sanctions against SM Group’s BDO Unibank Inc. and the Aboitiz-led Union Bank (UnionBank) of the Philippines for the December 2021 cybersecurity breach which victimized 700 BDO clients.
The BSP announced on Thursday, April 28, their decision to sanction the two big banks but did not disclose the amount they will impose, or other penalties, and if they will suspend involved bank officials. The central bank only announced the conclusion of their three-month investigation and review of the cybercrime which occurred on December 11 and 12.
In a brief statement, BDO said they will comply with the BSP decision. "We will work with the BSP to ensure a more secure banking environment," said BDO. The Sy-controlled bank is the country's biggest bank.
UnionBank in its own statement said they have implemented all of the BSP recommendations to prevent cybersecurity breaches. But it clarified that “there were no monetary penalties” and that they have “committed to an increase in capital charge to fortify our operations.”
The BSP said the hacking incident originated from a “compromised web service” and “involved unauthorized access of accounts with BDO” and that the fund transfers were “mostly” sent to UnionBank accounts.
“Based on the results of the investigation, the Monetary Board approved the imposition of sanctions on BDO and UnionBank to ensure that both banks will swiftly address the issues the BSP noted,” said the BSP.
BSP Governor Benjamin E. Diokno, who is still in the US, said the incident “is a reminder that we should continue to enhance our defenses against cyberthreat actors to protect the integrity of the financial system and the interests of depositors.”
The BSP said its investigation also recognized the corrective actions undertaken by both banks related to the cyber incident, including reimbursement by BDO of its affected clients.
Without giving the details, the central bank noted that the sanctions “emphasize the importance of continuously enhancing risk management systems involving cybersecurity, anti-money laundering, and combating terrorism and proliferation financing.”
“The sanctions also reinforce the need for banks to take a proactive stance in ensuring that their depositors are adequately protected,” it added.
UnionBank, for its part, said on Thursday that they have cooperated with BDO and BSP in resolving the hacking incident. “In fact, with swift action we were able to help BDO recover a sizeable amount so that it could return it to its customers,” it said. Since January, BDO was reimbursing the stolen money of its initially identified 700 clients.
“We are one with the BSP in pushing for stronger measures from banks against such fraudulent activities, towards creating a more secure digital financial environment for all,” said UnionBank. The bank is the country’s 9th largest lender.
The BSP has set up a task force of cyber, anti-money laundering and legal experts to probe BDO’s cybersecurity lapses and the KYC or Know Your Customer issues of UnionBank.