System glitch behind mystery transactions: Philippine bank

It rules out hacking as customers complained of unauthorised withdrawals and deposits

A branch of the Bank of the Philippine Islands (BPI) in Quezon City, east of Manila. Following the wave of unauthorised transactions on Wednesday, affected accounts were being corrected "client by client", said BPI senior vice-president Cathy Santamaria. PHOTO: EUROPEAN PRESSPHOTO AGENCY

Raul Dancel Philippines Correspondent In Manila

Updated

Published

Jun 09, 2017, 05:00 AM

The Philippines' third-largest bank was hit with a wave of unauthorised transactions on Wednesday that triggered fears of a hacking attack, although officials insisted it was just a systems glitch.

Bank of the Philippine Islands (BPI) had yet to fix the problem by late afternoon yesterday. The lender said that while ATMs were back online, all Internet and mobile phone services were still down.

Customers woke on Wednesday unable to access their accounts online, with many shocked to see unauthorised withdrawals and deposits.

One depositor reported losing as much as 100,000 pesos (S$2,800), while others found their payroll accounts with negative balances.

Many vented their frustrations on social media, saying they were unable to pay for pressing needs.

"This was a data processing glitch. This is not a hack at all," BPI president Cezar Consing said in a TV interview.

BPI senior vice-president Cathy Santamaria told the media: "It is an internal issue. There is a lot of rumour about... hacking or a scam. It has nothing to do with that.

"There's no money that physically went in or physically went out… It's a system data error… The money is still in the bank."

Ms Santamaria added that transactions from April 27 to May 2 this year apparently had been repeated, so customers now see money deducted or added to their accounts.

Affected accounts were being corrected "client by client".

"For those who have extra credit, please don't touch the money. It will be debited from your account,"Ms Santamaria said.

Asked why the errors surfaced only now when the affected transactions happened more than a month ago, she replied: "It was really an error. We're still assessing if it was a specific human error that got into the processing."

A senior consultant at a data security firm here told The Straits Times that it was likely that "a system administrator was given the go-signal to transfer still unreliable, undetected errors".

"It's not a security breach. It's an integrity breach caused by process failures," said the consultant, who declined to be named as his firm works with other banks.

Mr Nestor Espenilla, the incoming central bank governor, said he was accepting "for now" BPI's explanation that no hacking was involved, but will conduct its own probe.

"We have no reason to believe otherwise at this point in time. But as I said, this is standard operating procedure. We always verify every incident," he said in a radio interview.

Two weeks ago, BPI customers were alerted to a phishing scam involving e-mails purportedly from the bank warning clients their accounts had been compromised and would be locked unless they send private information via a web link.

Yesterday's incident led to a flurry of complaints on social media.

Chef Vic Sanchez, 49, said he was shocked to discover two withdrawals, of 5,000 pesos and 10,000 pesos, and an online payment of 2,600 pesos to retailer S&R, involving one of his BPI accounts.

Mr Sanchez said he still could not access his accounts yesterday online or via ATMs.

He told The Straits Times: "I needed money for my mum's hospitalisation needs. They're making me queue behind very long lines… They didn't even apologise."

BPI has about 7.9 million customers. Its shareholders include Singapore investment firm GIC.

Join ST's Telegram channel and get the latest breaking news delivered to you.