2021 Banco de Oro hack

In late 2021, at least 700 account holders of the Philippine bank Banco de Oro (BDO) lost their money through unauthorized bank transfers.

Fraud
From late November to early December 2021, numerous accountholders of BDO Unibank (Banco de Oro; BDO) lost their money through unauthorized bank transfers. The funds were noted to have been transferred to multiple Unionbank accounts under the name of a certain "Mark Nagoyo". Fraud victims lost money ranging from ₱25,000 to ₱50,000 per BDO account.

The scheme has been characterized to have made through hacking. Several Facebook groups were made by the fraud victims, where many maintained that they did not click any dubious links, sent through messaging apps, SMS, or email, that would make them fall for a phishing attempt. Other accounts suggest that they did not receive any one-time password (OTP), that would have alerted them to someone making an unauthorized login to their bank accounts, receive any OTP that a new device was linked to their accounts, and some had funds larger than the daily limit transferred out of their accounts. Manila Bulletin Technews also reported that funds worth ₱5 million transferred to one Unionbank account were used to buy Bitcoin on December 11.

There are also accounts of victims saying that perpetrators used other platforms such as GCash and the Bank of the Philippine Islands (BPI) instead of Unionbank.

Perpetrators
The name "Mark Nagoyo", which is associated to the Unionbank accounts, is believed to be fictitious or a pseudonym. By December 15, the Bangko Sentral ng Pilipinas, the Philippines' central bank, has identified two to four people as perpetrators of the hack. These people were neither employees of BDO or Unionbank. Five suspects, two Nigerian nationals and three Filipinos have been arrested in relation to the hack.

Response
BDO released a statement on December 12, 2021, that some of its accountholders were affected by "a sophisticated fraud technique" and has pledged to reimburse the lost funds to the fraud victims and bolster its security infrastructure. The Bangko Sentral ng Pilipinas, has said that it is monitoring the increase of complaints on the incident on various social media platforms and is working closely with BDO and Unionbank over the incident. Fewer than ten Unionbank accounts which received funds from BDO accounts have been frozen in response to the incident. The National Privacy Commission also coordinated with BDO to determined if any personal information was compromised in connection to the incident. Globe Telecom has also pledged assistance to the central bank on its investigation.

On December 14, BDO announced that it is reimbursing funds of around 700 account holders. It was reported that BDO is requiring victims to sign a quitclaim before reimbursing their lost money, in exchange of not filing legal charges against the bank. According to DTI undersecretary Vic Dimagiba, this could put victims at a disadvantage since they could potentially be entitled to more claims than the funds lost to the hack; such as losses arising from the inability to process the affected account holders' housing loan installment payment.

The BSP on December 17, disclosed that its initial findings suggests that the stolen funds from BDO may have also been transferred to multiple banks and non-bank financial institutions financial institutions aside Unionbank.

On January 21, 2022, the National Bureau of Investigation presented five suspects who were arrested in relation to the hack.

Reactions
Bayan Muna has called for the Committee on Banks and Financial Intermediaries of the House of Representatives to launch a legislative inquiry over the incident.

The Bankers Association of the Philippines issued a statement reminding bank accountholders to never give their personal information, including OTPs to other people and urged the public to remain vigilant against cybercrimes.