BPI IT specialist violated Electronic Commerce Act of 2000
FIRST OF 2 PARTS
THE Senate committee on banks, financial institutions and currencies concluded on Wednesday its inquiry into the state of the banking system after alleged computer glitches hampered this month the operations of the Bank of the Philippine Islands (BPI) and Banco De Oro Unibank. (BDO).
During the committee hearing, BPI representatives explained that an internal data processing error occurred in their computer system on June 6, thereby causing mis-posting of transactions in their clients’ accounts. The “error” affected about 1.5 million clients, out of a total of 8 million clients. BPI had to take down their electronic banking channels, including Internet banking and mobile banking, to address and resolve their internal systems’ problems. BPI’s total systems downtime was 26 hours, spread over a span of 37 hours.
What goes on inside BPI’s information technology (IT) systems and infrastructure?
During banking days, all transactions (deposits/credits and withdrawals/debits) are only temporarily posted to the accounts’ balances. There are 3.5 million transactions, on the average, per day. The real updating of balances is done at night when the automatic end-of-day (EOD) processing kicks in at 8 p.m.
Transaction log files are extracted from various application systems. This is done an a “closed system”, meaning no Internet connection and that data communications run on their own exclusive network. Other transactions are passed on in batch files.
At around 10 p.m., electronic banking channels are closed for some 15 minutes and the bank’s main database is updated. All EOD operations are done automatically, without any human intervention.
What happened on June 6? Here is BPI’s version:
BPI received a request to reconcile the May 26 to May 29 transactions for their foreign correspondent banking.
Thus, a technical specialist, whose name BPI did not divulge (but was referred to only as a “she”), was asked to extract the May 26 to May 29 transactions from the back-up files. There are only 12 people in the bank who are trained to do such an operation and only two have access to the system. This technical specialist was one of the two.
In her quest for expediency, she extracted and generated the report from the “production” database, instead of the back-up database. Moreover, she mistyped and used the dates April 27 to May 2, instead of May 26 to May 29. In doing so, the extraction from the “live” database created a system file for EOD processing – which this girl conveniently ignored and left undeleted. This was carried out at 3 p.m. of June 6.
As scheduled, at 8 p.m. the EOD processing kicked in. The system then created a file for EOD processing.
However, since there was already a file created at 3 p.m., the system did not erase the 3 p.m. file but created a second file with a “.01” aspect. Thus, the system used the “bad” 3 p.m. file for updating instead of the “good” 8 p.m. file. Mis-postings thus ensued.
For IT practitioners, to ensure the integrity and credibility of the data, it is a rule of thumb not to perform any operations on a “live” production database, but rather on the back-up database.
The technical specialist owned up to her mistake and has been reassigned to another area of the bank. All her access rights to the system have been taken out.
My insight tells me that she violated Section 33 of the Electronic Commerce Act of 2000. This provision mandates that violators be punished by a minimum fine of P100,000 and a maximum commensurate to the damage incurred and a mandatory imprisonment of six months to three years.
The acts penalized in Section 33 are “unauthorized access” or “any access” (which includes authorized access) “resulting in the corruption, destruction, alteration, theft or loss of electronic data.” It is evident that the BPI depositors’ balances were corrupted and altered. The depositors’ data were lost, although belatedly restored.
There is a reason to believe that the technical specialist violated this law.
Senator Escudero quipped, “100 percent hindi ito hacking?” BPI answered in the affirmative.
It was joined in this by banking regulator the Bangko Sentral ng Pilipinas (BSP): “There is no hacking. There is no computer glitch. Internal controls failed to detect the error.” Note that the BSP has not yet completed its full investigation of the matter.
The BSP further stated that it will not be imposing any penalties on BPI because their actions were fairly acceptable and there was no loss suffered by any client. What? Are they real? Have they not studied the big picture?
BPI said that the amounts involved were not big amounts and that the mis-posting caused an average debit error of a mere P7,700 and the average credit error was just P7,200. Bank officials claimed that those people who posted in social media that they were credited with P12 billion, P8 billion, P1 billion were lying. “The documents that they presented to the public and before the TV stations and the radio stations are all doctored and fake,” they added.
BPI boasted, “No money was lost.” Well, I can say that some credibility was lost.