Privacy body launches compliance check on BPI after glitch
The National Privacy Commission (NPC) said on Friday that it launched a “compliance check” on the Bank of the Philippine Islands (BPI), whose apparent technical glitch last week was being treated as a security incident since it involved the personal data of BPI’s clients.
The NPC said in a statement that its compliance check will evaluate the bank’s current systems and processes “to address any gaps especially in the bank’s breach management protocol, with the view of preventing or mitigating similar incidents in the future.”
The statement noticeably refrained from making any reference to a technical glitch, which BPI had blamed for its decision to suspend online and ATM services for two days last week, inconveniencing customers.
READ: BPI reports ‘internal data processing error’
BPI, which is owned by Ayala Corp., had repeatedly apologized to its clients throughout the period.
The issue came to light after unauthorized transactions affected a portion of BPI’s roughly eight million clients, who noticed their bank accounts balloon or deflate with varying amounts.
Article continues after this advertisementREAD: Woman finds P12.4B in BPI check account
Article continues after this advertisementThe NPC noted in its statement that the BPI incident was reported to have been caused by human error resulting in previously posted transactions to be reposted.
“The BPI incident involved a breach in security affecting the availability and integrity of information that relates to individuals,” the NPC said, adding this was “considered a personal data breach.”
A BPI spokesman did not immediately respond to a request for comment on Friday.
Commissioner Raymund Enriquez Liboro explained in the statement that the incident affected what was regarded as personal information under the Data Privacy Act.
“This includes the processing of data, which is capable of uniquely identifying data subjects, such as the account information of BPI and BPI Family Bank customers contained in BPI’s systems,” Liboro said.
“Second, the nature of the incident impacted both the availability and integrity of personal information considering that the incident resulted in the posting of erroneous account information and the prevention of its access to account holders,” he said.
“Under the law, impacts to availability and integrity of personal information may constitute a breach where loss and/or alteration to personal information occurs, whether accidentally or unlawfully,” he added.
The NPC noted that it had open lines of communication with BPI since June 7, 2017, when news of the incident emerged on social media.
“We appreciate BPI’s efforts to establish communication with the Commission throughout this episode to assuage our concern for the privacy of their depositor’s personal data. We highly regard the bank’s assurances,” Liboro said.
“As advocate and vanguard of people’s privacy rights, however, the NPC’s public mandate compels us to look even further and deeper into this matter,” he added. IDL