LAWMAKERS want the Commission on Elections (Comelec) to account for the 1.3 million passport data and 15.8 million fingerprints that were stolen by hackers from the poll body’s computer system.
Nationalist People’s Coalition Rep. Sherwin Gatchalian of Valenzuela and Party-list Reps. Neri Colmenares of Bayan Muna and Terry Ridon of Kabataan said the stolen voters’ information has been published in wehaveyourdata.com, with hacker group LulzSec Pilipinas aiming to make the government “start thinking about security of citizens’ personal data.”
“What is alarming is that this crucial data is just in plain text and accessible [to] everyone, including cyber criminals who can use the leaked personal information of Filipino voters for extortion and other illegal activities,” Gatchalian said.
On Thursday agents of the National Bureau of Investigation Cybercrime Division arrested in Sampaloc, Manila, a suspect in the Comelec web-site hacking, who turned out to be a 23-year-old fresh information-technology graduate.
Colmenares, meanwhile, scored the commission for its criminal neglect and incompetence, which allowed a massive data leak of its database, saying the leak included sensitive information of registered voters, from their addresses, birthdates and even passport numbers.
“Not only was the Comelec web site easily hacked, the culled data was also uploaded to a web site and exposed the sensitive and personal information of millions of Filipino voters to identity thieves and other predators. All cases of identity theft now could be blamed on the Comelec,” he said.
“The Comelec has utterly failed in its obligation to protect the fundamental human right of privacy of the Filipino people. The situation endangers the security, life and property of each one of us,” he added.
Under the Data Privacy Act, or Republic Act 10173, the lawmaker said it is the responsibility of the head of the agency to ensure that sensitive and personal information it maintains remain secure, using the most appropriate information and communications technology standards.
“Under the same law, negligence of the agency, resulting in a large-scale breach, is punishable by imprisonment of up to six years, fine and disqualification to hold public office. The agency must also be held accountable for concealment of this security breach, which is, likewise, punishable by imprisonment, fine and disqualification,” he added.
Moreover, Trend Micro, a global security software company, said the defacement and subsequent leak of the Comelec’s entire database online “may turn out as the biggest government-related data breach in history.”
“The report by Trend Micro is alarming, considering that the cyber attack on the Comelec web site left 55 million Philippine voters at risk, even surpassing the US Office of Personnel Management hack in 2015 that leaked personal data of 20 million US citizens,” Gatchalian said.
Gatchalian added it is imperative for the Comelec to assure all political parties, candidates and the voting population that all their systems, from the Internet web site to the transmission of votes from the vote-counting machines, are free from hacking and other forms of manipulation.
“The Comelec, under Chairman Andres Bautista, owes it to the Filipino people that the results of the May 9 polls will be reflective of the actual votes made. A credible election will ensure that our elected leaders will truly be the choice of the people,” he said.
Trend Micro reported that the personal data of 1.3 million overseas Filipino voters, which included passport numbers and expiry dates, as well as fingerprints of 15.8 million people, were compromised in the hacking of the Comelec’s web site on March 27.
Trend Micro also reported that, in previous cases of data breach, stolen data have been used to access bank accounts, gather further information about specific persons, used as leverage for spear phishing e-mails or Business E-mail Compromise schemes, blackmail or extortion, and much more.
The Comelec earlier downplayed the hacking of its web site, with Bautista saying that hackers from the group Anonymous Philippines failed to access any confidential information that may derail the 2016 elections.
For his part, Ridon said the massive data breach has “manifold ramifications to all affected voters, yet, the most insidious among these is the fact that unscrupulous groups—especially those currently in power—can use the data trove to commit automated electoral fraud of a scale unparalleled since the advent of automated polls.”
“With millions of sensitive personal information of voters now uploaded in the Internet and even searchable through a new search engine that sprouted recently, we cannot emphasize enough how the so-called Comeleaks totally compromises the integrity of the upcoming elections,” the legislator said.
Ridon also assailed the poll body for mishandling the data breach.
“What is the Comelec doing to safeguard millions of voters affected by the leak? The poll body must clearly be held accountable for this. It is the Comelec’s responsibility to protect and secure personal voter information. This case again highlights the poll body’s ineptitude and gross negligence of duty. Surely, in one way or another, this incident will affect the integrity of the upcoming national elections,” Ridon said.
