MANILA (UPDATE)- Sen. Sherwin Gatchalian on Wednesday said he has yet to rule out the possibility that there was an employee from the bank who helped a hacker use his credit card to purchase P1 million worth of food through an online delivery app.
The hacker obtained the one-time passwords for the transactions after changing the mobile number registered in his Unionbank credit card, Gatchalian told reporters in an online press conference.
"I don't rule out kung may coercion ito o kung may insider cooperation, puwedeng sa Food Panda, puwedeng sa bangko," he said.
(I don't rule out the possibility that someone was coerced or that there was insider cooperation, either from Food Panda or from the bank.)
The senator said he started receiving notifications via text message from Unionbank around 2 p.m. of Jan. 5, but was unable to check it until 6 p.m. as he was in the middle of a Senate hearing.
The purchases were done in 4 transactions that day, between 4:47 p.m. and 5:49 p.m., according to transaction details the senator posted on Twitter.
"Ang lesson dito, lahat ng notification dapat seryosohin natin. At kung may kaduda-duda sa notification, let's inform the bank," he said.
(The lesson here is we should take all notifications seriously and if there is something dubious, let's inform the bank.)
UnionBank has temporarily cancelled the senator's credit card while investigations are ongoing, Gatchalian said, noting that he still trusts the bank despite the incident.
"Hindi ko pa nakukuha 'yung mode na ginawa ng hacker," he said.
(I haven't pinpointed the mode of hacking the hacker used.)
"I'm not ruling out 'yung insider," he said.
Gatchalian said he would request the transaction details from Food Panda after he files a formal complaint before the police to see which food establishment accepted several orders worth between P90,000 and P300,000.
"I want to pursue this dahil tingin ko, marami pa mabibiktima nito... Imbestigahan muna natin kung saan ba naging butas," he said.
(I want to pursue this because I think there will be more victims... Let's investigate first to find out where the loophole was.)
The senator urged banks to review the security features of their online payment schemes, especially during the COVID-19 pandemic when most people prefer to go cashless.
"'Yung hackers na ito, pagaling nang pagaling. Kaya importante sa mga bangko na gumamit sila ng latest technology para mahabol nila itong mga hackers," Gatchalian said.
(Hackers are becoming better and better. So banks need to invest in the latest technology to keep up with the hackers.)
"Maraming tao ngayon ang nag-oonline transaction... 'Yung hackers, nagiging mas aktibo at agresibo. Kaya yung mga bangko, dapat mas alisto ngayon," he said.
(More people now engage in online transactions. So hackers are more active and aggressive nowadays. That's why banks must be more alert.)
The senator said he is "still compiling all the information" related to the incident before assessing if he should call for a congressional investigation to see if banks and online platforms have adequate security features against fraudulent transactions.
UnionBank said in a statement it is investigating the hacking of Gatchalian's credit card and coordinating with Food Panda, which has also started a probe on the issue.
"We assure all our customers that this matter is an isolated incident. UnionBank has always been committed to the security of our customers and we remain driven to ensure their safety when transacting online," it said.
"We also take this opportunity to remind all our customers to practice vigilance while doing financial transactions. Customers may visit the UnionBank website to learn some #CyberSure tips when using credit cards online."