Privacy commission probing possible data breach in ‘Mark Nagoyo’ transfers

The National Privacy Commission (NPC) is now looking into a possible personal data breach following the "Mark Nagoyo" unauthorized bank transactions, which transferred funds from unsuspecting BDO Unibank Inc. account holders to fictitious bank accounts.

In a statement, Privacy Commissioner John Henry Naga said the NPC’s Complaints and Investigation Division commenced the investigation of “this serious security incident to determine the full extent of the compromise and any violations of the Data Privacy Act (DPA)” on December 11.

Last week, victims took to social media to report unauthorized withdrawals from their BDO accounts and transferred to the accounts of a certain "Mark Nagoyo" with Union Bank of the Philippines (UBP).

The funds taken from BDO account holders were reportedly transferred to the fictitious accounts to acquire cryptocurrencies.

“On December 13, 2021, the NPC has issued notices to both BDO and Unionbank to explain, including requiring the banks to furnish additional information, documents, evidence, or witnesses, as may be necessary,” Naga said.

“NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident,” he added.

The Bangko Sentral ng Pilipinas has formed a task force to look deeper into the matter.

Meanwhile, BDO has started processing the reimbursement of funds of close to 700 clients affected by the fraudulent transactions.

“Under the NPC’s Rules of Procedure, a sua sponte investigation allows the Commission to investigate possible personal data breaches even without a formal complaint from the public or a third party,” the Privacy chief said.

“The NPC also looks into the relevance of BDO’s 10-year-old system to the alleged security incident and to determine whether sufficient technical, organizational, and physical safeguards were in place to prevent unauthorized disclosure of personal information that may have been contained in the system,” he added.

To recall, BSP Governor Benjamin Diokno said that the central bank has also received information that the incident involved a 10-year old service of the Sy-led lender which is already due for phase-out early in 2022.

“Apart from requiring additional evidence and information, the NPC has ordered BDO and Unionbank to appear for a clarificatory conference, on January 4, 2022, to verify and clarify the evidence submitted by the banks in relation to the investigation,” Naga said.

“The NPC assures the public that all steps necessary to safeguard the rights of data subjects shall be taken and that the Commission shall exercise the full extent of its powers under the law against any party found to be in violation of the DPA (Data Privacy Act),” he said.

The BSP has traced two to four persons behind the “Mark Nagoyo” account.

UnionBank, on the other hand, identified six persons of interest behind the hacking incident.

“The Commission is also coordinating with other government agencies in relation to this security incident,” the NPC chief said. — BM, GMA News