The Comelec is downplaying the hacking of its website last Mar. 27. But sensitive personal info on 55 million voters have been exposed. Dumped in public websites, the data include not only names, birth dates and addresses, but also fingerprints, photos and signatures, experts note. Cybercriminals can exploit the data for all sorts of fraud, like fake bank withdrawals and home bills, extortion, and blackmail. Most at risk of identity theft are 1.3 million overseas absentee voters, as their passport numbers and other I.D. entries are now publicized.
The exposed voter database can also mess up the May 9 elections. For compromising personal and electoral security, negligent Comelec officials must be sued criminally and for civil damages, experts say.
The Comelec belittled the hacking by Anonymous Philippines as mere vandalism. The local chapter of the international hackers’ group had posted a warning on the poll body’s website, and in social media, against automated fraud. Taken down two days later, the message was for activating the security features of the vote counting machines. One of its members, “n3far1ous,” hinted at worse should the group be ignored. “Dear Comelec, do you think it is impossible to dump the database? Well, think again,” he wrote on a Facebook page.
That became reality, as reported ten days later, Apr. 6, by info-tech security giant Trend Micro. “Every registered voter in the Philippines is now susceptible to fraud and other risks after a massive data breach leaked the entire database of the Comelec,” it blared in its news blog. “While initial reports have downplayed the impact of the leak, our investigations showed a huge number of sensitive personally identifiable information (PII) – including passport information and fingerprint data – were included in the data dump.” (See http://blog.trendmicro.com/trendlabs-security-intelligence/55m-registered-voters-risk-philippine-commission-elections-hacked)
Unmentioned by the Comelec was a second cyber attack. Trend Micro discovered that a second hacking crew, LulzSec Philippines, had stolen 16 databases from the poll body’s website and posted it online. “Within the day they added three more mirror links where the database could be downloaded,” the company reported.
Staggering are the figures. Trend Micro stated: “With 55 million registered voters in the Philippines, this leak may turn out as the biggest government related data breach in history, surpassing the Office of Personnel Management hack last 2015 that leaked PII, including fingerprints and social security numbers (SSN) of 20 million US citizens.”
Other software makers and web security researches, life Softpedia, investigated the hacking (see http://news.softpedia.com/news/data-on-55-million-filipinos-leaks-after-anonymous-hacks-elections-website-502687.shtml)
The Comelec should be held liable for violating the Data Privacy Act, Edmundo Casiño, former president of the Philippine Computer Society, told The STAR. R.A. 10173 penalizes negligence in handling personal information in databases (see http://www.gov.ph/2012/08/15/republic-act-no-10173). This is worse than the Philippines being the money laundering site for $81 million hacked and stolen from Bangladesh Central Bank’s depository in New York, he said.
That the passport info of 1.3 million overseas absentee voters was leaked makes such lawsuit all the more necessary, said Ernie del Rosario, former director of the Comelec Information-Technology Department. The leak of their passport info, coupled with their fingerprints, photos and signatures, open them more than others to fraud. Matched with their names, addresses and birth dates, verification of their identification is more than 99-percent accurate. Their bank accounts can be altered, and deposits stolen if cybercriminals decode passwords using the stolen identities.
When a website is hacked, assume that it is not just defaced, but data are stolen, tampered or manipulated, and worms or Trojan horses implanted, del Rosario said. He warned of chaos on Election Day if the website remains un-purged.
To prevent that, del Rosario suggested an immediate security audit by the Comelec. Such audit would identify when and where the breaches occurred, the missing or altered data, and possible corrective measures.
The Comelec has just commissioned a German firm for P123 million to purge the voters’ list of multiple, false, delisted, and deceased registrants. The project should have begun 90 days ago, but the poll body has only 30 days left before Election Day to do it. Meanwhile, the month-long overseas absentee voting already commenced last Saturday.
Del Rosario suggested that the Comelec rush the project in order to come up with a cleansed voter list to post for Election Day. As for other leaked data, the poll body can regenerate the backups, but ensure that sensitive personal data are separated and secured.
(For background on “n3far1ous,” see https://www.pinoyhacknews.com/interview-with-n3far1ous)
* * *
Willie Nep’s “Pang-GULO ng Pilipinas,” the show that happens only once every six years, will be staged on Apr. 30, at the Music Museum, Greenhills Commercial Center, San Juan City. Watch it before you vote.
For reservations, call TicketWorld at (02) 891-9999; and Music Museum, (02) 721-6726.
* * *
Catch Sapol radio show, Saturdays, 8-10 a.m., DWIZ, (882-AM).
Gotcha archives on Facebook: https://www.facebook.com/pages/Jarius-Bondoc/1376602159218459, or The STAR website http://www.philstar.com/author/JariusBondoc/GOTCHA
E-mail: jariusbondoc@gmail.com