BDO Unibank Inc. has dismissed social media claims by client Maria Jamila Cristiana Gonzales Berenguer alleging a system compromise and insider involvement in unauthorized transactions.
BDO said in a statement that its investigation found no evidence of a system breach. Instead, the unauthorized transactions followed a password reset and device registration that were validated by a one-time password (OTP) sent to the client’s registered mobile device, the bank said.
It said the OTP was sent on Sept. 14, 2025, the day before the reported transactions.
Berenguer, in an interview with ABS-CBN, acknowledged that her mobile device had been with other people.
BDO said transaction alerts were sent to Berenguer on Sept. 15, six hours before she reported the issue to the BDO Hotline.
“Transactions through BDO Pay require a PIN or biometrics, not OTP,” BDO said.
“OTP is required only for device registration,” it said.
BDO claimed that transfer limits were not bypassed and its security controls remain in place.
The bank said it has tried to engage with Berenguer, but she has “declined and continue[d] to post several videos that are inaccurate.”
