Privacy commission undertakes compliance audit on BPI
The National Privacy Commission yesterday said it had started a “compliance check” on Bank of the Philippine Islands (BPI), whose apparent technical glitch last week was being treated as a security incident since it involved personal data of the bank’s clients.
In a statement, the NPC said its compliance check would evaluate the bank’s current systems and processes “to address any gaps especially in the bank’s breach management protocol, with the view of preventing or mitigating similar incidents in the future.”
The statement noticeably refrained from making any reference to a technical glitch, which BPI had blamed for its decision to suspend online and ATM services for two days last week.
BPI, owned by Ayala Corp., had repeatedly apologized to its clients throughout the period.
The issue came to light after unauthorized transactions affected some of BPI’s about eight million clients, who noticed their bank accounts had ballooned or deflated in varying amounts.
The NPC noted in its statement that the BPI incident was reported to have been caused by human error resulting in previously posted transactions to be reposted.
“The BPI incident involved a breach in security affecting the availability and integrity of information that relates to individuals,” the NPC said, adding this was “considered a personal data breach.”
Commissioner Raymund Enriquez Liboro explained that the incident affected what was regarded as personal information under the Data Privacy Act.
“This includes the processing of data, which is capable of uniquely identifying data subjects, such as the account information of BPI and BPI Family Bank customers contained in BPI’s systems,” he said.
“Second, the nature of the incident impacted both the availability and integrity of personal information considering that the incident resulted in the posting of erroneous account information and the prevention of its access to account holders,” he said.
“Under the law, impacts to availability and integrity of personal information may constitute a breach where loss and/or alteration to personal information occurs, whether accidentally or unlawfully,” he added.
The NPC said it had open lines of communication with BPI since June 7, 2017, when news of the incident emerged on social media.
“ As advocate and vanguard of people’s privacy rights, however, the NPC’s public mandate compels us to look even further and deeper into this matter,” he added.
On Friday, BDO Unibank Inc., the country’s largest lender, warned that certain ATM machines could be comprised “following reported losses from cardholders.”
“Customers with unauthorized transactions may reach out to the bank via formal channels so that their cases may be properly investigated and, where confirmed as impacted, may be reimbursed,” BDO said.
Sought for comment, Liboro said the NPC would accept complaints from citizens if they felt their personal data had been compromised.
