BSP now looking into consumer concerns over BDO's terms and conditions, as NPC investigates 'possible data breach'
The Bangko Sentral ng Pilipinas (BSP) said it is now looking into concerns raised on social media about the terms and conditions of Banco de Oro Unibank (BDO) for its clients, while the National Privacy Commission (NPC) said it is also investigating a "possible data breach" involving the bank following a recent hacking incident.
For the past few days, some users on social media pointed out BDO's terms and conditions as shown on the bank's app, with some saying that it has been revised after the latest "Mark Nagoyo" hacking issue.
New and “improved” terms and conditions of the BDO app. “With or without your participation” wala na silang paki kahit pa lapse from their end ang cause. Got this screenshot from a friend pic.twitter.com/JplYmALHSo
— Jeff (@jeff_ricafrente) December 18, 2021
Regular compliance
Under the “Liability” section, netizens raised concerns about the number two statement: “Loss or damage you may suffer arising out of any improper, fraudulent access or utilization of BDO Online Banking due to theft or unauthorized disclosure of username, passwords, ATM PINs, Online Banking PINs or violation of other security measures with or without your participation.”
The issue came out after some BDO clients were reportedly hacked, with their accounts reportedly transferring money without their consent to a certain account under Union Bank of the Philippines with the name "Mark Nagoyo." BDO has said that it will reimburse the close to 700 clients affected by the hacking incident.
BDO also denied revising their terms and conditions recently.
"Liability clause is a regular compliance in the banking industry and has been part of the normal compliance for a long time. There was no added clause due to the recent incident," the bank said in a statement.
Consumer protection angle
BSP deputy governor Chuchi Fonacier, via text message, said the issue "is a legal matter. It’s an agreement between the bank and its clients. The client should review the terms whether it is something acceptable to him/her."
Even then, Fonacier said "the BSP is looking at the consumer protection angle."
"At the same time, (also) from a legal perspective," added Fonacier.
Melchor Plabasan, director of BSP’s technology risk and innovation supervision department, also told reporters that they are also reviewing the waiver.
“It’s really a consumer protection issue as well as probably public policy consideration. We are now reviewing the parameter of this waiver. And we’re also engaging our legal experts here in the BSP to check whether they are consistent with our financial consumer protection policies," Plabasan said.
Possible personal data breach
In a statement today, meanwhile, the NPC said that it “is investigating the possible personal data breach involving unauthorized transactions and potential unauthorized processing of personal data resulting from the suspected compromise of multiple BDO accounts.”
The statement was also the first released by newly appointed NPC Commissioner John Henry Naga, whose appointment was confirmed by Malacanang and NPC on Dec. 17.
Complaints over the hacked accounts from BDO clients surfaced on social media around Dec. 10, and was initially reported the weekend of Dec. 11-12, with the first story coming out from the Manila Bulletin on Dec. 11.
NPC said that their Complaints and Investigation Division started investigating the issue on Dec. 11.
Under NPC Circular 16-03, private and public entities that process personal data are mandated to notify the NPC whenever they are breached “within seventy-two (72) hours upon knowledge of or the reasonable belief by the personal information controller or personal information processor that a personal data breach has occurred.”
Naga, via text message, told PhilSTAR L!fe that the NPC has not received any breach notification from BDO as of press time.
"To date, NPC has not received from BDO a breach notification report through NPC breach report email nor via regular courier," said Naga.
Sua ponte investigation
But NPC said that on Dec. 13, it issued notice to the BDO and UnionBank “to explain, including requiring the banks to furnish additional information, documents, evidence, or witnesses, as may be necessary.”
“NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident,” said NPC.
Under NPC’s rules, a sua ponte investigation allows the Commission to investigate possible personal data breaches even without a formal complaint from the public of a third party.
NPC said it is also looking into the relevance of BDO’s 10-year-old system to the alleged security incident, which has been incited as a vulnerability that hackers reportedly exploited while the bank was transitioning to a newer system.
NPC has also called BDO and UnionBank for a conference on Jan. 4 regarding the matter.
PhilSTAR L!fe has reached out to BDO for a reaction from NPC’s statement but has not received any response for now. (with a report from Lawrence Agcaoili)