The cybercriminals involved in the hacking of BDO Unibank Inc. deposit accounts are bound to face economic sabotage charges, Anakalusugan party-list Rep. Michael Defensor said Sunday.
“The act of breaking into a bank’s computer system and stealing money from at least 50 deposit accounts constitutes economic sabotage,” Defensor, who is running for Quezon City mayor, said.
“Under the law, the offense is punishable with life in prison plus a fine of up to P5 million,” he added.
Defensor was referring to Republic Act No. 11449, the 2019 law that increased the penalties for the unlawful use of electronic access devices such as cards, codes, personal identification numbers (PINs), user names, and passwords, among others.
Union Bank of the Philippines earlier said it had identified at least six persons suspected of complicity in the hacking of BDO accounts the previous weekend.
The hacking was discovered after more than 700 BDO depositors reported unauthorized Instapay transfers out of their accounts to the fictitious account of a certain “Mark Nagoyo” with Union Bank.
The exact number of accounts and the aggregate sum of money stolen by the hackers remain unclear.
However, one report suggested that at least P5 million of the stolen funds were subsequently stashed by the cybercriminals in cryptocurrency.
Meanwhile, Defensor said the Bangko Sentral ng Pilipinas (BSP) should require banks to routinely go on high alert against potential cybercriminal activities on weekends and holidays.
“We already know that most cyberattacks on banks happen on weekends and holidays, so the practical solution is for them to heighten their vigilance on these slow days,” Defensor said.
Besides the BDO hacking, Defensor recalled that the $101 million Bangladesh Bank cyberheist in 2016 also happened on a weekend when the bank’s offices were closed.
The Philippines’ banking system got entangled in the Bangladesh central bank cyberheist after $81 million of the stolen funds were diverted to five fictitious deposit accounts with Rizal Commercial Banking Corp. (RCBC).
“We also want banks to put an end to their practice of going on slow mode when it comes to providing customer support on weekends and holidays,” Defensor said.
“Banks must respond instantly to customer complaints of potential hacking of their deposit or credit card accounts 24 hours a day, seven days a week,” Defensor said.
Defensor also said he expects the BSP and the National Privacy Commission to separately impose administrative fines on banks whose computer systems were breached, and whose depositors lost money as well as sensitive personal information.
“These administrative fines are absolutely necessary to compel banks to constantly find ways to protect their systems and safeguard their customers,” Defensor said.
“Actually, it is not true that the banks themselves are absorbing the financial losses from cyberattacks,” Defensor said.
All depositors end up paying for a bank’s financial losses when money from an account gets stolen, according to Defensor.
“In fact, every time the banks seek an increase in their automated teller machine (ATM) withdrawal or credit card fees, they always claim that they need the higher charges to pay for financial losses due to fraudulent transactions,” Defensor said.