Officials of the Bank of the Philippine Islands and Banco De Oro-Unibank on Wednesday told the Senate hearing on technical glitches that hit the country’s two biggest banking institutions that no money was lost from their clients and preventive measures were done to avoid a recurrence of the case.
Testifying before the Senate committee on banks, financial institutions and currencies, BPI executive vice president for enterprise services group Ramon Jocson told the Senate panel chaired by Senator Chiz Escudero that the “system error” that hit the bank, which affected 2.9-million transactions and 1.5-million depositors was “100 percent not a hack.”
He added that what happened was a closed system IT where there was an error.
“One hundred percent, di ito hacked,” said Jocson adding that there was no involvement of an internet or third party in the processing error. He said the error was caused by a programmer who was processing transactions in a rush.
Jocson said the glitch occurred after one of the bank’s top technicians entered a wrong date while trying to update a report from the internal system.
“On June 6, we needed to reconcile a report from May 26 to 29. Ang na-enter niya sa online system namin was April 27 to May 2,” he said.
This, he said, updated the balances using transactions from April 27 to May 2 instead of June 6.
Asked by Senate Minority Leader Franklin Drilon if this was a case of an error in judgment of a programmer, Jocson said yes. He said this particular person has been with BPI and has always the zeal to do things faster.
When Drilon asked if the programmer’s action was malicious, Joscon it was an innocent error and nothing was malicious in the error in processing.
Jocson said that the programmer, who belonged to the top of her class, has no links to syndicates or groups.
Jocson also reiterated that none of their clients lost money.
Drilon later said after the hearing that the issue is now “under control.” He said there’s no reason to worry since the case was a “glitch, human error, no malice.”
“The important thing is the bank is able to respond.”
Jocson also said the glitch that caused unauthorized postings of deposits and withdrawals only affected transactions via automated teller machines, cash acceptance machines, and point of sale systems. This means that BPI accounts briefly reflected incorrect figures following a glitch on June 6, but they were already fixed. It also disabled electronic transactions for two days.
“(We) Never did transactions of one client cross to another client,” said Jocson. “We’re working with a combination of process, people and technology.”
He also guaranteed that no banking data of clients was leaked because they were in a “closed system” and not connected to anything external.
BPI President and CEO Cezar P. Consing said some 1.5 million clients out of their total 8 million clients were affected by the error in its processing.
“Much, much smaller than some of the figures circulating prominently in social media,” said the official of the third largest bank in the Philippimes. He also backed the Jocson’s claim that there was no hacking involved jn the system error that shut down their system for at least 26 hours.
“We regret the error and we are working to ensure that there’ll be no repeat of this unfortunate incident. We informed the regulators that there was no breach of data privacy. I can assure you, we will continue to do everything we can to gain our standing with our regulators, clients, the public, and you, lawmakers,” he said.
Edwin Romualdo Reyes, executive vice president and head of the BDO Transaction Banking Group, meanwhile, said they are currently upgrading their ATMs to defeat “deep insert skimmers” after seven of its ATMs had been compromised due to local skimming attacks.
He said they have a fully-staffed anti-fraud team working 24/7 to ensure that skimming would no longer happen.
“BDO adheres to principles of quality control. BDO assures the public that there is no cause for worry.”
He told the senators that three separate fraud events affected seven ATMs in three locations buit added that the number of ATMs involved accounted to only 0.2 percent of 3,700 BDO ATMs nationwide, which will be upgraded by the end of the due to the rise of new kinds of theft.
As ordered by the Bangko Sentral ng Pilipinas, BDO is migrating its clients from the 50-year-old magnetic strip ATM cards to the EMV chip, which is more secure against skimming.
A few days after the glitch at BPI, clients of BDO reported separate incidents of unauthorized withdrawals from their accounts.
Escudero said the two banks are not liable due to the absence of an intentional wrongdoing or an error out of negligence.
“But if it was an honest mistake, just like in our ordinary lives, there is no liability unless it’s out of negligence,” adding that he is looking into the possibility of holding a second hearing.