Banks warned vs identity theft ‘Comeleak’ website taken down

MANILA, Philippines - The Bangko Sentral ng Pilipinas (BSP) has directed banks and financial institutions to strengthen their know-your-customer (KYC) practices to ensure the protection of the banking public from identity theft in light of the release online of voters’ personal details.

The website, containing a searchable database of sensitive information of registered Filipino voters, has been taken down and a manhunt is on for two more hacking suspects.

Various groups, however, continued to express concern that the hacking and data release, dubbed the “Comeleak,” could be used for election fraud on May 9.

The Commission on Human Rights said yesterday that it is investigating possible violation of the right to privacy.

BSP deputy governor Nestor Espenilla Jr. issued Memorandum No. M-2016-005 ordering all BSP-supervised financial institutions (BSFIs) to beef up their KYC practices following the release of voters’ records of the Commission on Elections (Comelec).

“Relative to the reported unauthorized disclosure of voters’ registration records of the Comelec, all BSFIs are enjoined to strengthen their KYC practices and exercise extra vigilance against possible misuse of said information for financial transactions,” Espenilla said in the memo.

He pointed out customer identification procedures of BSFIs that rely on static information that may be obtained from the disclosed Comelec records should be supplemented by requests for additional proof or secondary information to establish the true identity of new and existing clients.

Banco de Oro president and chief executive officer Nestor Tan said the bank owned by retail and banking magnate Henry Sy is reviewing the process of verifying accounts to avoid information that has been made publicly available by hackers of the Comelec website.

“We are looking at using biometrics to aid in customer identity verification,” Tan said.

Allan Tumbaga, director for industry relations of the Bankers Marketing Association of the Philippines (BMAP), said the banking public should not panic in light of the hacking of the voters’ list of the Comelec.

Tumbaga pointed out the customer verification of banks now go beyond birth dates, address and mother’s maiden name, among others.

He said customer representatives of banks ask about account numbers, credit card numbers, history of transactions and other details about the account or credit card holders.

However, he encouraged the banking public to refrain from using birth dates and addresses, among others, as their PINs and passwords.

“If you used your birth dates, address, mother’s maiden name, you better change your PIN and passwords now,” he said.

Personal details of voters have been publicly released online via http://wehaveyourdata.com.

This raised alarm among netizens as the website contained information such as full names, birth dates, addresses, registration details and voter identification numbers.

Other voter details posted include the persons’ height and weight, passport details, and – in some cases – even biometric information such as fingerprint info and topography.

Website taken down

In an interview, Comelec spokesman James JImenez noted that the website www.wehaveyourdata.com, was taken down yesterday, in coordination with the US Department of Justice (DOJ).

“I was informed by the National Bureau of Investigation (NBI) that they already took down the site after coordination with other organizations abroad. The US-DOJ, for instance, was contacted for help in the take down,” he said.

The leak, now being called COMELEAK, is believed to be the biggest leak of database of personal information in the country. 

The information is believed to be from the database of the Comelec that was stolen  on March 27. 

“DOJ (is) currently in the process of requesting for the preserved data on Cloudflare and GoDaddy, through official channels, coordinating with the NBI,” he added in a follow-up Twitter post. 

GoDaddy is the domain host which provided the website address, while Cloudflare is the security provider of the website. Both companies are based in the United States. 

Based on the site information retrieved by The STAR prior to its taking down, the website was registered on April 8 and will expire in one year. 

Other details, which may be easily faked, identified the owner as Alex Petrenko from Russia. 

According to the site page, the owners used the database dump of LulzSec Pilipinas containing information of around 70 million Philippine voters.

“The database contains a lot of sensitive information, including fingerprint data and passport information. So we thought that it would be fun to make a search engine over that data,” it added.

While the data has been publicly available since the hack on March 27, owners of the site noted that they have made it available for everyone with Internet access.

“It’s one thing to hear news about a huge data leak and another to see your data in a public website. Maybe, at least now, government will start thinking about security of citizens’ personal data,” they said.

CHR chairman Chito Gascon said they will also look into the incident. 

He said the Bantay Karapatan sa Halalan – an initiative of the CHR and other organizations to monitor human rights abuses during the May elections – will look into the human rights aspect of the leak, such as possible violation of the right to privacy. 

Security protocols

Malacañang called on the Comelec yesterday to ensure the integrity of polls following the hacking of the voters’ database.

The Palace, through Presidential Communications Operations Office Secretary Herminio Coloma Jr., strongly condemned the cyber-attack on the website of the Comelec and expressed concern over the incident.

“Although verifications that have been made thus far have shown that the integrity of the automated election system has not been affected by the latest cyber-attack, we share the public’s concern on the ill-effects of this act,” Coloma said.

Coloma said the government as a whole was determined to ensure that similar acts would not be repeated and that the perpetrators would be prosecuted in accordance with law.

Coloma assured the public that concerned government agencies, including the Department of Transportation and Communications-Information and Communications Technology Office, were closely coordinating with the Comelec to further strengthen its security protocols.  – With Janvic Mateo, Aurea Calica, Sheila Crisostomo, Rey Galupo, Ghio Ong

Show comments