Two of the biggest banks in the Philippines said they are stepping up data security to protect against fraud and identity theft in the wake of the public leak of millions of voter identification records from the Commission on Elections (Comelec) database.
BDO Unibank Inc. and Bank of the Philippine Islands (BPI) said they are expanding their security procedures after a warning was issued to all banks by the Bangko Sentral ng Pilipinas (BSP) to strengthen ‘Know-Your-Customer’ (KYC) identity verification practices following the Comelec leak.
Hackers obtained 55 million voters’ records and posted them online at the beginning of the month, including passport details of 1.3 million overseas Filipino workers and digital fingerprint records for 15.8 million people, according to online security firm TrendMicro.
In a memorandum, the BSP advised all its Supervised Financial Institutions (BSFIs) to strengthen their KYC practices relative to the unauthorized disclosure of voters’ registration records of the Commission on Elections (Comelec).
The BSP said, “All BSFIs are enjoined to strengthen their KYC practices and exercise extra vigilance against possible misuse of said information for financial transactions.”
Specifically, the central bank directed BSFIs to take additional steps to avoid relying on the information that could be obtained from the several websites where the stolen Comelec data was posted. That static information, the BSP said in its memorandum, “should be supplemented by requests for additional proof or secondary information to establish the true identity of new and existing clients.”
Banks avoiding leaked data
BDO Unibank Inc. President and Chief Executive Officer Nestor Tan said his bank has already begun taking steps to protect itself and its customers against potential fraud.
“We have to change the way we validate customer identities. In fact, there is a group we have met to address that. But we cannot share more information on that because some of the security processes are probably better left unknown to a potential fraud,” Tan explained.
Tan said the first step the bank has taken is to steer clear of the sort of information that is now publicly available.
“Second step is to look at how we can beef up the identification process in another way, and we will add to it as we move along,” he said.
Tan also stressed that the bank is spending a “huge amount” of money to manage online security.
“Online security and security in general is embedded in all of the things that we do. Online security is not something you can isolate. It is applied to every process that we have to take,” he said.
Meanwhile, Ayala-led Bank of the Philippine Islands (BPI) assured its clients of safe and secure banking in the wake of the data leak.
In an official statement, the bank said it has the strictest and most stringent measures in protecting the data of clients.
“Our protocols require us to go beyond the usual static information, such as complete name and birthday. We ask for other information that only the clients are expected to know. BPI does not use biometric data to effect transactions,” it said.
BPI also reminded its clients to take a proactive approach to securing their vital personal information.
BPI pointed out that it requires verbal confirmation and signed forms from clients when carrying out service request and offline transactions.
Tips for client safety include not sharing passwords; using passwords that are not related to personal information (such as a birthday); changing passwords frequently; and refraining from using public computers or other unsecured internet connections.