Friday, March 29, 2024

NPC probing if BDO’s 10-year-old system can still hack it

In his first media statement since assuming his new post last Dec. 14, National Privacy Commission (NPC) chair John Henry Naga said the agency is investigating the “relevance” of BDO’s 10-year-old system to the recent high-profile security incident.

New privacy commissioner John Henry Du Naga
(Photo courtesy of Victoria Du Naga Facebook)

Naga said the NPC is probing whether BDO’s aging IT system had sufficient technical, organizational, and physical safeguards in place to prevent the unauthorized disclosure of personal information in relation to the recent hacking event.

As early as Dec. 11, he said the NPC’s Complaints and Investigation Division has commenced the investigation of the “serious” security incident to determine the full extent of the compromise and any violations of the Data Privacy Act (DPA).

On Dec. 13, 2021, the NPC issued notices to both BDO and Unionbank, requiring the banks to furnish additional information, documents, evidence, or witnesses, as may be necessary, according to Naga.

“NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident. Under the NPC’s Rules of Procedure, a sua sponte investigation allows the Commission to investigate possible personal data breaches even without a formal complaint from the public or a third party,” the privacy commissioner said.

Apart from requiring additional evidence and information, he said the NPC has ordered BDO and Unionbank to appear for clarificatory conference, on Jan. 4, 2022, to verify and clarify the evidence submitted by the banks in relation to the investigation.

“The NPC assures the public that all steps necessary to safeguard the rights of data subjects shall be taken and that the Commission shall exercise the full extent of its powers under the law against any party found to be in violation of the DPA,” Naga said.

Earlier, cybersecurity firm Kaspersky stressed the need for better collaboration for incident response.

“The latest attack against financial institutions in the Philippines underscores the fact that banks and financial entities remain of interest to cybercriminals whose main goal is to steal money,” said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky.

Groups that prey on the financial sector find vulnerabilities within the IT infrastructure of their target organizations to carry out their attacks, added Tiong.

“From our experience investigating cyber incidents, we know that there are cyber gangs that are professionals and can really resist detection. In case of suspicion of intrusion, we recommend that organizations request for professional assistance with incident response,” the Kaspersky executive said.

“We encourage financial companies to pay more attention to cybersecurity literacy within the organization, invest into additional protection and regular security assessment on all parts of the network, and collaborate with relevant authorities in the country like CERTs, law enforcement agencies, as well as private entities in their sector and cyber security professionals for better information sharing and prevent attacks in the early stage in the future,” Tiong said.

Subscribe

- Advertisement -spot_img

RELEVANT STORIES

spot_img

LATEST

- Advertisement -spot_img