2021 Banco de Oro hack

Bank fraud

2021 Banco de Oro hack
Duration	November–December 2021
Type	Bank fraud
Theme	Cybercrime
Target	700+ Banco de Oro (BDO) accountholders
Participants	Involved financial institutions Banco de Oro (BDO) Unionbank Potentially other banks and non-bank financial institutions
Suspects	2–4 alleged hackers; the pseudonym "Mark Nagoyo" was used.

In late 2021, at least 700 account holders of the Philippine bank Banco de Oro (BDO) lost their money through unauthorized bank transfers.

Fraud

From late November to early December 2021,^[1] numerous accountholders of BDO Unibank (Banco de Oro; BDO) lost their money through unauthorized bank transfers. The funds were noted to have been transferred to multiple Unionbank accounts under the name of a certain "Mark Nagoyo".^[2]^[3] Fraud victims lost money ranging from ₱25,000 to ₱50,000 per BDO account.^[1]

The scheme has been characterized to have made through hacking.^[4] Several Facebook groups were made by the fraud victims, where many maintained that they did not click any dubious links, sent through messaging apps, SMS, or email, that would make them fall for a phishing attempt. Other accounts suggest that they did not receive any one-time password (OTP), that would have alerted them to someone making an unauthorized login to their bank accounts, receive any OTP that a new device was linked to their accounts, and some had funds larger than the daily limit transferred out of their accounts. Manila Bulletin Technews also reported that funds worth ₱5 million transferred to one Unionbank account were used to buy Bitcoin on December 11.^[1]

There are also accounts of victims saying that perpetrators used other platforms such as GCash and the Bank of the Philippine Islands (BPI) instead of Unionbank.^[5]

Perpetrators

The name "Mark Nagoyo",^[a] which is associated to the Unionbank accounts, is believed to be fictitious or a pseudonym. By December 15, the Bangko Sentral ng Pilipinas, the Philippines' central bank, has identified two to four people as perpetrators of the hack. These people were neither employees of BDO or Unionbank.^[7] Five suspects, two Nigerian nationals and three Filipinos have been arrested in relation to the hack.^[8]

Response

BDO released a statement on December 12, 2021, that some of its accountholders were affected by "a sophisticated fraud technique" and has pledged to reimburse the lost funds to the fraud victims and bolster its security infrastructure. The Bangko Sentral ng Pilipinas, has said that it is monitoring the increase of complaints on the incident on various social media platforms and is working closely with BDO and Unionbank over the incident.^[9]^[3] Fewer than ten Unionbank accounts which received funds from BDO accounts have been frozen in response to the incident.^[10] The National Privacy Commission also coordinated with BDO to determined if any personal information was compromised in connection to the incident.^[11] Globe Telecom has also pledged assistance to the central bank on its investigation.^[12]

On December 14, BDO announced that it is reimbursing funds of around 700 account holders.^[13] It was reported that BDO is requiring victims to sign a quitclaim before reimbursing their lost money, in exchange of not filing legal charges against the bank. According to DTI undersecretary Vic Dimagiba, this could put victims at a disadvantage since they could potentially be entitled to more claims than the funds lost to the hack; such as losses arising from the inability to process the affected account holders' housing loan installment payment.^[5]

The BSP on December 17, disclosed that its initial findings suggests that the stolen funds from BDO may have also been transferred to multiple banks and non-bank financial institutions financial institutions aside Unionbank.^[14]

On January 21, 2022, the National Bureau of Investigation presented five suspects who were arrested in relation to the hack.^[8]

Reactions

Bayan Muna has called for the Committee on Banks and Financial Intermediaries of the House of Representatives to launch a legislative inquiry over the incident.^[15]

The Bankers Association of the Philippines issued a statement reminding bank accountholders to never give their personal information, including OTPs to other people and urged the public to remain vigilant against cybercrimes.^[16]

Notes

^ Nagoyo is a Filipino word that derives from the root word goyo, meaning "joking (with someone)" or "something done to make a fool of someone".^[6]

References

^ ^a ^b ^c Samaniego, Art (December 11, 2021). "Hacked BDO accounts are used to buy Bitcoin via UnionBank". Manila Bulletin. Retrieved December 12, 2021.
^ "Philippines battles surge in complaints of account hacking". Bangkok Post. Reuters. December 12, 2021. Retrieved December 12, 2021.
^ ^a ^b "BDO vows to reimburse fraud victims, strengthen security controls". CNN Philippines. December 12, 2021. Archived from the original on December 12, 2021. Retrieved December 12, 2021.
^ Torregoza, Hannah (December 12, 2021). "Poe calls for swift, transparent probe on bank hacking incident". Manila Bulletin. Retrieved December 12, 2021.
^ ^a ^b de Guzman, Warren (December 15, 2021). "Biktima ng BDO hack dehado umano sa quitclaim" [Victim of BDO hack at a disadvantage due to quitclaim]. ABS-CBN News (in Filipino). Retrieved December 15, 2021.
^ Cepeda, Mara (December 12, 2021). "BDO clients lose money due to alleged online banking hack". Rappler. Retrieved December 20, 2021.
^ Cordero, Ted (December 15, 2021). "BSP traces two to four hackers behind 'Mark Nagoyo' account". GMA News. Retrieved December 15, 2021.
^ ^a ^b Baroña, Franco Jose (21 January 2022). "5 arrested in BDO cyberattack". The Manila Times. Retrieved 22 January 2022.
^ Cepeda, Mara (December 12, 2021). "BDO clients lose money due to alleged online banking hack". Rappler. Retrieved December 12, 2021.
^ "Philippine central bank probes complaints of account hacking". South China Morning Post. December 12, 2021. Retrieved December 12, 2021.
^ De Guzman, Warren (December 13, 2021). "Privacy watchdog checks if personal info leaked in BDO incident". ABS-CBN News. Retrieved December 13, 2021.
^ Fenol, Jessica (December 13, 2021). "Globe says ready to help in probe on bank fraud". ABS-CBN News. Retrieved December 13, 2021.
^ Caraballo, Mayvelin (December 14, 2021). "BDO to reimburse 700 clients affected by hacking". The Manila Times. Retrieved December 14, 2021.
^ Chipongian, Lee C. (December 17, 2021). "More financial institutions involved in BDO hacking – BSP". Manila Bulletin. Retrieved December 17, 2021.
^ Patag, Kristine Joy; Luna, Franco (December 13, 2021). "House reps urge inquiry into unauthorized BDO money transfers". The Philippine Star. Retrieved December 13, 2021.
^ Chipongian, Lee (December 12, 2021). "BDO to reimburse affected clients soon; bankers group call for vigilance against cyber crimes". Manila Bulletin. Retrieved December 12, 2021.

Hacking in the 2020s

← 2010s

Timeline

2030s →

Major incidents

2020	BlueLeaks Twitter account hijacking European Medicines Agency data breach Nintendo data leak United States federal government data breach EasyJet data breach Vastaamo data breach
2021	Microsoft Exchange Server breach Ivanti Pulse Connect Secure data breach Colonial Pipeline ransomware attack Health Service Executive ransomware attack Waikato District Health Board ransomware attack JBS S.A. ransomware attack Kaseya VSA ransomware attack Transnet ransomware attack Epik data breach FBI email hack National Rifle Association ransomware attack Banco de Oro hack
2022	Ukraine cyberattacks Red Cross data breach Anonymous and the Russian invasion of Ukraine Viasat hack DDoS attacks on Romania Costa Rican ransomware attack LastPass vault theft Shanghai police database leak Grand Theft Auto VI content leak
2023	Munster Technological University ransomware attack Evide data breach MOVEit data breach Insomniac Games data breach Polish railway cyberattack British Library cyberattack
2024	XZ Utils backdoor