Privacy Commissioner John Henry Naga’s statement on possible personal data breach in recent BDO hacking

The National Privacy Commission (NPC) is investigating the possible personal data breach involving unauthorized transactions and potential unauthorized processing of personal data resulting from the suspected compromise of multiple BDO Unibank, Inc. (BDO) accounts.

As early as December 11, 2021, the NPC’s Complaints and Investigation Division has commenced the investigation of this serious security incident to determine the full extent of the compromise and any violations of the Data Privacy Act (DPA).

On December 13, 2021, the NPC has issued notices to both BDO and Unionbank to explain, including requiring the banks to furnish additional information, documents, evidence, or witnesses, as may be necessary. NPC has been in constant coordination with both banks in relation to the sua sponte investigation of the security incident.

Under the NPC’s Rules of Procedure, a sua sponte investigation allows the Commission to investigate possible personal data breaches even without a formal complaint from the public or a third party.

The NPC also looks into the relevance of BDO’s 10-year-old system to the alleged security incident and to determine whether sufficient technical, organizational, and physical safeguards were in place to prevent unauthorized disclosure of personal information that may have been contained in the system.

Apart from requiring additional evidence and information, the NPC has ordered BDO and Unionbank to appear for clarificatory conference, on January 4, 2022, to verify and clarify the evidence submitted by the banks in relation to the investigation.

The NPC assures the public that all steps necessary to safeguard the rights of data subjects shall be taken and that the Commission shall exercise the full extent of its powers under the law against any party found to be in violation of the DPA.

The Commission is also coordinating with other government agencies in relation to this security incident.

Privacy Commissioner